A local area network (LAN) and the Internet itself is one big network. Networks are built by routing packets from point A to point B to point C. Each packet takes a route from a source to destination. How do you know what route your packet takes? By using the traceroute or tracert utility.

Traceroute is typically used as a network troubleshooting utility. It can be found on Windows, Linux, macOS, and many other operating systems in various forms. For IT professionals, you'll typically find it either as the traceroute binary (Linux/macOS) or the tracert.exe utility on Windows.

In this article, you are going to learn all about the traceroute utility including it's purpose, it's various switches, and how to interpret the information it provides. By the end of this article, you'll have the knowledge to leverage this tool to its fullest potential.

How Traceroute Works

Traceroute's primary purpose is to detect the route a packet takes when traversing a network. It does this using error messages to collect information about various routers the packet runs into along the way. It does so by taking advantage of the Time-to-Live (TTL) field in IP packet headers. TTL limits the life of a packet, preventing them from staying on the network. This is important should a path fail or routing loop exists.

As a packet reaches a router, it's TTL value decreases until it reaches 0. When a packet's TTL gets to 0, a router discards the packet and returns an ICMP_TIME_EXCEEDED message back to the packet where the packet originated from.

When traceroute sends out a packet to find the path it takes, it alters the TTL field of the packet. Using information from the resulting error messages, traceroute can then piece together and discover the path a packet takes across a network.

Terminology

We've already mentioned a few terms but you'll learn a few more as you read through this article. Let's cover more of the important terms first.

  • Host - A host is a computer or device from which you are running the Traceroute tool. This can be Windows or Linux PC, or a Cisco IOS device.
  • Router - A device that forwards or routes packets from network to network through various interfaces.
  • Hop - A hop is a router along a network path. Think of a routed packet as 'hopping' from one router interface to another as it traverses a network.
  • Route - A route is a path between a host and each router interface. A route can be different each time the traceroute tool. This is because of routing protocols and rules that could direct traffic to different interfaces.
  • Path - A path is a route taken by a packet traveling from one host to another.

Tracert vs Traceroute

There are two primary traceroute utilities that IT pros will run into; traceroute and tracert. As mentioned earlier, you'll find traceroute in Linux/macOS and tracert in Windows. But there's also one other big difference; traceroute uses ICMP and tracert uses UDP.

The data returned whether on Linux or Windows is the same with some minor formatting differences.

Using tracert on Windows

Perhaps you've found yourself troubleshooting a network issue for an application that you manage. After looking at some log files, you see that requests that the application is making from a remote server are taking longer than normal or dropping packets entirely. This is a perfect scenario to use the tracert tool.

If you're on Windows, open up a command prompt (cmd.exe) or Windows PowerShell console. All examples you'll see in this section will use Windows PowerShell v5.1.

Finding Help

Let's first get acquainted with tracert. This command-line utility provides a handy way for you to see all of the options you have to run it by running tracert -?. In the following code snippet, you can see the tracert has a few different options to configure its behavior.

Tracert doesn't contain many options like its traceroute brother though (as you will see).

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]
               [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -d                 Do not resolve addresses to hostnames.
    -h maximum_hops    Maximum number of hops to search for target.
    -j host-list       Loose source route along host-list (IPv4-only).
    -w timeout         Wait timeout milliseconds for each reply.
    -R                 Trace round-trip path (IPv6-only).
    -S srcaddr         Source address to use (IPv6-only).
    -4                 Force using IPv4.
    -6                 Force using IPv6.

You will likely use only one or two of these options at most while doing everyday troubleshooting. In this particular scenario described, you can use tracert followed by the IP address or fully-qualified domain name (FQDN) of the target server.

Tracing with Tracert By Example

Let's assume your application has to reach www.google.com. To trace the application's path to www.google.com, you'd simply provide the address as the first argument. In the following demonstration, you can see the path a packet from the example host takes to get there traversing 11 routers.

traceroute -q example

Now let's examine the output and then cover the results below.

Tracing route to www.google.com [172.217.8.164]
over a maximum of 30 hops:

  1     1 ms     4 ms     1 ms  www.routerlogin.com [192.168.1.1]
  2    56 ms    11 ms    12 ms  142.254.148.17
  3    65 ms   468 ms    29 ms  agg63.vnwrohbt01h.midwest.rr.com [98.30.201.210]
  4    61 ms    22 ms    21 ms  agg59.clmkohpe02r.midwest.rr.com [24.33.162.134]
  5   508 ms    23 ms    29 ms  be27.clmkohpe01r.midwest.rr.com [65.29.1.34]
  6    73 ms    41 ms    31 ms  bu-ether31-vinnva0510w-bcr00.tbone.rr.com [66.109.6.54]
  7    76 ms    33 ms    37 ms  66.109.5.136
  8   382 ms    29 ms    36 ms  66.109.7.83
  9    75 ms    32 ms    37 ms  209.85.250.189
 10     *     1320 ms    29 ms  72.14.232.153
 11    28 ms    27 ms    27 ms  ord37s08-in-f4.1e100.net [172.217.8.164]

Trace complete.

There are five columns of data in the output. Starting left to right:

  • Column 1 (hop count) - There are 11 hops in this route. Keep in mind that you could run this same command again, and get different output. This is expected as you could be routed to a different interface on a router or an entirely different router altogether.
  • Columns 2-4 (ICMP (ping) packet round trip times) - These times are measured in milliseconds. You should recall that these packets also contain the TTL that causes the router to generate an error that contains information used by the tracert command.
5-30ms response times are considered a good high-speed hop response time. Most commonly, you'll see times between 35-60ms. When you begin to see times of 60ms+, that may be indicative of a delay.
  • Column 5 (hostname or IP address) - This item returned by the router in the path. Sometimes if a router is configured to not respond or is not reachable for whatever reason, you will see an * here instead. By default, tracert attempts to perform a reverse DNS lookup on each router IP address. This is how you see DNS names here instead of the IP address.
You can speed up tracert slightly if you forego name resolution using the -d switch. This option will prevent hostname resolution and will just return IP addresses only.

With this output, you now have the basic information that will be useful in troubleshooting network latency or routing issues. You have time measurement, IP address(s) and or FQDN(s) for a router to investigate.

Using Traceroute on Linux

The traceroute functionality isn't just relegated to Windows, you have traceroute ability on Linux too with the traceroute command.

Not every distribution of Linux contains the same package for the traceroute command. Some distributions use the legacy inetutils package which contains traceroute as part of a suite of network tools, while others have a modern traceroute.x86_64 package.

Same as last time, the very first thing you should do with any command line utility is look at the help. The common switch parameter for help information is -?. Type the command traceroute -? (remember case sensitivity in Linux) to get access the manual page:

Usage: traceroute [OPTION...] HOST
Print the route packets trace to network host.

  -f, --first-hop=NUM        set initial hop distance, i.e., time-to-live
  -g, --gateways=GATES       list of gateways for loose source routing
  -I, --icmp                 use ICMP ECHO as probe
  -m, --max-hop=NUM          set maximal hop count (default: 64)
  -M, --type=METHOD          use METHOD (`icmp' or `udp') for traceroute
                             operations, defaulting to `udp'
  -p, --port=PORT            use destination PORT port (default: 33434)
  -q, --tries=NUM            send NUM probe packets per hop (default: 3)
      --resolve-hostnames    resolve hostnames
  -t, --tos=NUM              set type of service (TOS) to NUM
  -w, --wait=NUM             wait NUM seconds for response (default: 3)
  -?, --help                 give this help list
      --usage                give a short usage message
  -V, --version              print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to <[email protected]>.

Similar to tracert on Windows, the traceroute command as a few additional parameters that could be useful for more precise troubleshooting.

Excluding Routers

One helpful command excludes certain routers from the trace. Using the -f or --first-hop=NUM parameter, you can exclude certain routers from displaying. This could be very useful if you are confident that one or more routers are not causing any issues. You can also use this feature to set the trace to begin past your network perimeter to narrow down any possible causes for latency on the Internet.

In the following GIF, I'm running traceroute -f 3 google.com. This command is skipping the first three routers thus bypassing my home networking and ISP router. Notice that the first two hops are missing.

traceroute -f example

You can see from above, it takes 15 hops to reach www.google.com from my network.  The output isn't formatted the same as it is in Windows, however, the order is just reversed. You see the hop count first, then the hostname or IP of the router along the path being traced, followed by the response times as before. You may see additional interfaces for some hopes in the output. This is expected.

Narrowing Down Results

Now lets say that in addition to skipping the first two hops, you also want the path up to the fifth hop in the route. That's where you would use the -m or --max-hop=NUM switch parameter.

Type traceroute -m 5 -f 3 [www.google.com](<http://www.google.com>) into your terminal and press Enter. This command certainly is useful for narrowing potential routing issues. Traceroute now skips the first two hops and stop at the fifth hop.

traceroute -m example

Reducing Probe Packets Sent

Traceroute, by default, sends three probes packets to each router in the path. Perhaps you'd like to reduce the time traceroute takes to run. You can change the number of probe packets sent to each router using the -q parameter.

Type traceroute -q -m 5 -f 3 www.google.com into your terminal and press Enter. You can see below that traceroute is only sending one packet because we're only getting one response time per hop.

traceroute -q 6 example

You can also increase the number of probe packets sent per hop too but specifying an argument for the -q parameter as shown below. Increasing packet probes sent could help by providing a way to average response times to each hop.

Conclusion

Both the traceroute and tracert utilities are tried and true, handy, command-line network utilities that have been around for a long time. We didn't cover each parameter for each command in this article but we did cover many of the most useful ones. If you ever find yourself cussing about slow response times or are simply curious about where your packets are going, give the the traceroute or tracert command a shot and see where it takes you.