A local area network (LAN) and the Internet itself is one big network. Networks are built by routing packets from point A to point B to point C. Each packet takes a route from a source to a destination. How do you know what route your packet takes? By learning how does Traceroute works in Windows 10’s traceroute utility or the traceroute command in Linux/macOS.
Traceroute is typically used as a network troubleshooting utility. It can be found on Windows, Linux, macOS, and many other operating systems in various forms. For IT professionals, you’ll typically find it either as the traceroute binary (Linux/macOS) or the tracert.exe utility on Windows.
In this article, you are going to learn all about the traceroute utility including its purpose, it’s various switches, and how to interpret the information it provides. By the end of this article, you’ll have the knowledge to leverage this tool to its fullest potential.
Table of Contents
How Does Traceroute Work?
Traceroute’s primary purpose is to detect the route a packet takes when traversing a network. It does this using error messages to collect information about various routers the packet runs into along the way. It does so by taking advantage of the Time-to-Live (TTL) field in IP packet headers. TTL limits the life of a packet, preventing them from staying on the network. This is important should a path fail or a routing loop exists.
As a packet reaches a router, it’s TTL value decreases until it reaches 0. When a packet’s TTL gets to 0, a router discards the packet and returns an
ICMP_TIME_EXCEEDED message back to the packet where the packet originated from.
When traceroute sends out a packet to find the path it takes, it alters the TTL field of the packet. Using information from the resulting error messages, traceroute can then piece together and discover the path a packet takes across a network.
We’ve already mentioned a few terms but you’ll learn a few more as you read through this article. Let’s cover more of the important terms first.
- Host – A host is a computer or device from which you are running the Traceroute tool. This can be Windows or Linux PC, or a Cisco IOS device.
- Router – A device that forwards or routes packets from network to network through various interfaces.
- Hop – A hop is a router along a network path. Think of a routed packet as ‘hopping’ from one router interface to another as it traverses a network.
- Route – A route is a path between a host and each router interface. A route can be different each time the traceroute tool. This is because of routing protocols and rules that could direct traffic to different interfaces.
- Path – A path is a route taken by a packet traveling from one host to another.
Tracert Command vs Traceroute
There are two primary traceroute utilities that IT pros will run into;
tracert. As mentioned earlier, you’ll find
traceroute in Linux/macOS and
tracert in Windows. But there’s also one other big difference;
traceroute uses ICMP and
tracert uses UDP.
The data returned whether on Linux or Windows is the same with some minor formatting differences.
Using the Traceroute in Windows 10
Perhaps you’ve found yourself troubleshooting a network issue for an application that you manage. After looking at some log files, you see that requests that the application is making from a remote server are taking longer than normal or dropping packets entirely. This is a perfect scenario to use Windows 10’s traceroute utility, tracert.
If you’re on Windows, open up a command prompt (cmd.exe) or Windows PowerShell console. All examples you’ll see in this section will use Windows PowerShell v5.1.
Let’s first get acquainted with and learn how this traceroute utility works. This command-line utility provides a handy way for you to see all of the options you have to run it by running
tracert -?. In the following code snippet, you can see that
tracert has a few different options to configure its behavior.
The Windows 10 traceroute utility
Tracert doesn’t contain many options like its
traceroute brother though (as you will see).
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list (IPv4-only). -w timeout Wait timeout milliseconds for each reply. -R Trace round-trip path (IPv6-only). -S srcaddr Source address to use (IPv6-only). -4 Force using IPv4. -6 Force using IPv6.
You will likely use only one or two of these options at most while doing everyday troubleshooting. In this particular scenario described, you can use
tracert followed by the IP address or fully-qualified domain name (FQDN) of the target server.
Traceroute on Windows 10: By Example
Let’s assume your application has to reach www.google.com. To trace the application’s path to www.google.com, you’d simply provide the address as the first argument to traceroute in Windows 10 (tracert). In the following demonstration, you can see the path a packet from the example host takes to get there traversing 11 routers.
Now let’s examine the output and then cover the results below.
Tracing route to www.google.com [18.104.22.168] over a maximum of 30 hops: 1 1 ms 4 ms 1 ms www.routerlogin.com [192.168.1.1] 2 56 ms 11 ms 12 ms 22.214.171.124 3 65 ms 468 ms 29 ms agg63.vnwrohbt01h.midwest.rr.com [126.96.36.199] 4 61 ms 22 ms 21 ms agg59.clmkohpe02r.midwest.rr.com [188.8.131.52] 5 508 ms 23 ms 29 ms be27.clmkohpe01r.midwest.rr.com [184.108.40.206] 6 73 ms 41 ms 31 ms bu-ether31-vinnva0510w-bcr00.tbone.rr.com [220.127.116.11] 7 76 ms 33 ms 37 ms 18.104.22.168 8 382 ms 29 ms 36 ms 22.214.171.124 9 75 ms 32 ms 37 ms 126.96.36.199 10 * 1320 ms 29 ms 188.8.131.52 11 28 ms 27 ms 27 ms ord37s08-in-f4.1e100.net [184.108.40.206] Trace complete.
There are five columns of data in the output. Starting left to right:
- Column 1 (hop count) – There are 11 hops in this route. Keep in mind that you could run this same command again, and get different output. This is expected as you could be routed to a different interface on a router or an entirely different router altogether.
- Columns 2-4 (ICMP (ping) packet round trip times) – These times are measured in milliseconds. You should recall that these packets also contain the TTL that causes the router to generate an error that contains information used by the tracert command.
5-30ms response times are considered a good high-speed hop response time. Most commonly, you’ll see times between 35-60ms. When you begin to see times of 60ms+, that may be indicative of a delay.
- Column 5 (hostname or IP address) – This item returned by the router in the path. Sometimes if a router is configured to not respond or is not reachable for whatever reason, you will see an
*here instead. By default,
tracertattempts to perform a reverse DNS lookup on each router IP address. This is how you see DNS names here instead of the IP address.
You can speed up
tracertslightly if you forego name resolution using the
-dswitch. This option will prevent hostname resolution and will just return IP addresses only.
With this output, you now have the basic information that will be useful in troubleshooting network latency or routing issues. You have time measurement, IP address(s) and or FQDN(s) for a router to investigate.
Using Traceroute on Linux
The traceroute functionality isn’t just relegated to Windows, you have traceroute ability on Linux too with the
Not every distribution of Linux contains the same package for the
traceroutecommand. Some distributions use the legacy inetutils package which contains traceroute as part of a suite of network tools, while others have a modern traceroute.x86_64 package.
Same as last time, the very first thing you should do with any command line utility is look at the help. The common switch parameter for help information is
-?. Type the command
traceroute -? (remember case sensitivity in Linux) to get access the manual page:
Usage: traceroute [OPTION...] HOST Print the route packets trace to network host. -f, --first-hop=NUM set initial hop distance, i.e., time-to-live -g, --gateways=GATES list of gateways for loose source routing -I, --icmp use ICMP ECHO as probe -m, --max-hop=NUM set maximal hop count (default: 64) -M, --type=METHOD use METHOD (`icmp' or `udp') for traceroute operations, defaulting to `udp' -p, --port=PORT use destination PORT port (default: 33434) -q, --tries=NUM send NUM probe packets per hop (default: 3) --resolve-hostnames resolve hostnames -t, --tos=NUM set type of service (TOS) to NUM -w, --wait=NUM wait NUM seconds for response (default: 3) -?, --help give this help list --usage give a short usage message -V, --version print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report bugs to <[email protected]>.
Similar to the tracert command in Windows, the traceroute command as a few additional parameters that could be useful for more precise troubleshooting.
One helpful command excludes certain routers from the trace. Using the
--first-hop=NUM parameter, you can exclude certain routers from displaying. This could be very useful if you are confident that one or more routers are not causing any issues. You can also use this feature to set the trace to begin past your network perimeter to narrow down any possible causes for latency on the Internet.
In the following GIF, I’m running
traceroute -f 3 google.com. This command is skipping the first three routers thus bypassing my home networking and ISP router. Notice that the first two hops are missing.
You can see from above, it takes 15 hops to reach www.google.com from my network. The output isn’t formatted the same as it is in Windows, however, the order is just reversed. You see the hop count first, then the hostname or IP of the router along the path being traced, followed by the response times as before. You may see additional interfaces for some hopes in the output. This is expected.
Narrowing Down Results
Now lets say that in addition to skipping the first two hops, you also want the path up to the fifth hop in the route. That’s where you would use the
--max-hop=NUM switch parameter.
traceroute -m 5 -f 3 http://www.google.com into your terminal and press Enter. This command certainly is useful for narrowing potential routing issues. Traceroute now skips the first two hops and stops at the fifth hop.
Reducing Probe Packets Sent
Traceroute, by default, sends three probes packets to each router in the path. Perhaps you’d like to reduce the time
traceroute takes to run. You can change the number of probe packets sent to each router using the
traceroute -q -m 5 -f 3 www.google.com into your terminal and press Enter. You can see below that
traceroute is only sending one packet because we’re only getting one response time per hop.
You can also increase the number of probe packets sent per hop too but specifying an argument for the
-q parameter as shown below. Increasing packet probes sent could help by providing a way to average response times to each hop.
tracert utilities are tried and true, handy, command-line network utilities that have been around for a long time. We didn’t cover each parameter for each command in this article but we did cover many of the most useful ones. If you ever find yourself cussing about slow response times or are simply curious about where your packets are going, give the the
tracert command a shot and see where it takes you.