traceroute - Mapping a Packet's Journey

If ping checks "whether it reaches the destination," traceroute visualizes "which path it takes to get there." When you access IP Check-san, your packets travel through dozens of network devices - from your home router through your ISP, IX (Internet Exchange Point), undersea cables, and data centers. traceroute displays the IP address and latency of each hop (relay point) along that route.

The TTL Trick - An Ingenious Mechanism

traceroute works by cleverly exploiting the TTL (Time To Live) field in IP packets.

TTL is a counter that decrements by 1 each time a packet passes through a router. When TTL reaches 0, that router discards the packet and sends an ICMP Time Exceeded message back to the sender. This mechanism was designed to prevent packets from looping endlessly on the network.

traceroute turns this mechanism on its head:

  1. Send a packet with TTL=1 → TTL reaches 0 at the first router, which returns ICMP Time Exceeded → The 1st hop's IP address and latency are revealed
  2. Send a packet with TTL=2 → TTL reaches 0 at the second router → The 2nd hop is revealed
  3. Incrementally increase TTL to 3, 4, 5... repeating until the destination is reached

This simple idea of "incrementing TTL by 1" is what makes network route visualization possible.

traceroute vs tracert - Unix and Windows Differences

On Unix/Linux/macOS the command is traceroute, while on Windows it's tracert. Beyond the name, the default behavior also differs.

  • Unix traceroute: Uses UDP packets by default. Sends to destination ports starting from 33434, incrementing each time. When the destination is reached, ICMP Port Unreachable is returned
  • Windows tracert: Uses ICMP Echo Request by default. Since it uses the same protocol as ping, it's more susceptible to firewalls that block ICMP

Unix traceroute can switch to ICMP mode with the -I option or TCP mode with -T. In environments where firewalls block UDP or ICMP, TCP mode (ports 80 or 443) is effective.

Reading traceroute Output

Typical traceroute output looks like this:

1 192.168.1.1 1.2 ms 0.9 ms 1.1 ms
2 10.0.0.1 5.3 ms 4.8 ms 5.1 ms
3 203.0.113.1 12.4 ms 11.9 ms 12.2 ms
4 * * *
5 198.51.100.1 85.3 ms 84.7 ms 85.1 ms
6 93.184.216.34 90.2 ms 89.8 ms 90.5 ms
  • Hop 1: Your home router. Latency is about 1 ms - local network communication
  • Hops 2-3: Routers within your ISP's network. Latency gradually increases
  • Hop 4 "* * *": This router is configured not to return ICMP Time Exceeded. Packets are passing through, but there's no response. This is not a failure - it's a deliberate firewall configuration that many network administrators apply to hide internal infrastructure
  • Hop 5: Latency jumps dramatically (12 ms → 85 ms). This likely indicates crossing an undersea cable
  • Hop 6: The destination server

Three measurements are taken at each hop because network latency fluctuates, and multiple measurements improve reliability.

The "Geography of the Internet" Visible Through traceroute

traceroute results can reveal the physical path of packets.

  • Sudden latency spikes: Hops crossing intercontinental undersea cables show latency increases of tens of milliseconds. Tokyo to Los Angeles typically adds about 50-60 ms, Tokyo to London about 100-120 ms
  • City names in hostnames: Many ISPs and carriers include city names in router hostnames. Abbreviations like tky (Tokyo), lax (Los Angeles), and ams (Amsterdam) reveal the geographic path of packets
  • AS numbers: traceroute -a (Linux) displays the AS (Autonomous System) number for each hop. AS numbers reveal which organization's network the packets are traversing

Limitations and Caveats of traceroute

  • Asymmetric routes: Outbound and return packets may take different paths. traceroute only shows the outbound route
  • MPLS tunnels: When ISPs use MPLS (Multi-Protocol Label Switching), hops within the tunnel may be invisible
  • Load balancers: Running traceroute to the same destination multiple times may show different routes, as load balancers distribute packets across different paths
  • Rate limiting: When routers rate-limit ICMP Time Exceeded responses, displayed latency may appear higher than actual

Summary

traceroute is an excellent tool that uses the simple TTL mechanism to visualize packet routes. Try running traceroute to the IP address you see on IP Check-san - you'll see which ISPs, cities, and undersea cables your packets traverse. The experience of seeing the Internet's "map" with your own eyes will deepen your understanding of networking.

Related Glossary Terms

IP Address The identifier for routers and servers displayed at each hop by traceroute. ISP The Internet service provider's network that appears in the first few hops of traceroute. Latency The response time at each hop. Spikes dramatically when crossing undersea cables. BGP The inter-ISP route exchange protocol that determines the paths visible in traceroute. Firewall Blocking ICMP causes "* * *" to appear in traceroute results.