traceroute Path Trace

traceroute cheatsheet — trace the network path to any host. traceroute google.com, traceroute -n (no DNS), traceroute -T (TCP mode). Identify where packets are dropped or delayed.

5 min read

traceroute

What it is

A network diagnostic tool that traces the path packets take from your computer to a destination host, showing each hop along the way.

Installation

Linux

sudo apt update && sudo apt install traceroute
# or
sudo yum install traceroute

macOS

traceroute is usually pre-installed. If not:

brew install traceroute

Windows

Windows has a built-in equivalent called tracert. To install traceroute on Windows, you might consider using the Windows Subsystem for Linux (WSL).

Core Concepts

  • Hops: Each router or network device that a packet passes through on its way to the destination is considered a hop. traceroute displays the IP address and, if possible, the hostname of each hop.
  • Time To Live (TTL): traceroute works by sending packets with incrementally increasing TTL values. The first packet has a TTL of 1, causing it to expire at the first router. The router sends back an ICMP "Time Exceeded" message. traceroute records the round-trip time for this message. It then sends a packet with TTL 2, which expires at the second router, and so on. This process continues until the packet reaches the destination.
  • ICMP Time Exceeded: This is the message sent by routers when a packet’s TTL expires before reaching its destination. traceroute relies on these messages to identify hops.
  • ICMP Destination Unreachable: This message is sent by the final destination host when it receives a packet but cannot deliver it to the intended port (e.g., if no process is listening on that UDP port). traceroute uses this to know it has reached the destination.

Commands / Usage

Basic Tracing

  • Trace to a hostname:

    traceroute google.com

    Traces the route to google.com using default settings (UDP probes).

  • Trace to an IP address:

    traceroute 8.8.8.8

    Traces the route to the IP address 8.8.8.8.

Probe Type Selection

  • Use ICMP Echo (like ping):

    traceroute -I google.com

    Uses ICMP Echo Request packets instead of UDP probes. This is often blocked by firewalls.

  • Use TCP SYN:

    traceroute -T -p 80 google.com

    Uses TCP SYN packets to port 80. Useful for tracing routes to web servers and can sometimes bypass firewalls that block UDP/ICMP.

Packet Configuration

  • Set maximum number of hops:

    traceroute -m 15 google.com

    Stops tracing after 15 hops, even if the destination is not reached.

  • Set the initial TTL:

    traceroute -f 5 google.com

    Starts the trace with a TTL of 5, skipping the first 4 hops.

  • Set the packet size:

    traceroute -s 64 google.com

    Sends packets with a payload size of 64 bytes.

  • Set the number of probes per hop:

    traceroute -q 3 google.com

    Sends 3 probe packets for each hop to get more consistent latency measurements.

  • Set the wait time for a response:

    traceroute -w 2 google.com

    Waits a maximum of 2 seconds for a response from each hop.

Network Interface and Source Address

  • Specify the outgoing network interface:

    traceroute -i eth0 google.com

    Forces traceroute to use the eth0 network interface.

  • Specify the source IP address:

    traceroute -s 192.168.1.100 google.com

    Uses 192.168.1.100 as the source IP address for probes.

Hostname Resolution

  • Do not resolve hostnames:
    traceroute -n google.com
    Does not attempt to resolve IP addresses to hostnames, showing only IPs. Speeds up the process and can help diagnose DNS issues.

Verbosity and Debugging

  • Increase verbosity:

    traceroute -v google.com

    Shows more detailed output during the trace.

  • Set the probe port (for UDP probes):

    traceroute -p 33434 google.com

    Sets the starting UDP destination port. The port number is incremented for each hop.

Common Patterns

  • Diagnosing slow connections:

    traceroute -n -m 30 example.com | grep '192.168.'

    Traces to example.com without hostname resolution, stops at 30 hops, and filters for hops within your local network range to see where delays might be occurring internally.

  • Checking connectivity to a specific port (using TCP):

    traceroute -T -p 443 www.example.com

    Traces the route to www.example.com using TCP SYN packets to port 443 (HTTPS), useful for diagnosing issues with secure web connections.

  • Comparing routes with different probe types:

    traceroute -I google.com & traceroute -T -p 80 google.com

    Runs an ICMP-based trace and a TCP-based trace concurrently to see if different network paths are taken or if one type of probe is blocked.

  • Saving output to a file:

    traceroute google.com > traceroute_google.txt

    Saves the entire output of the traceroute command to a file named traceroute_google.txt.

  • Finding the first non-responsive hop:

    traceroute google.com | grep '*'

    Filters the output to show only lines with asterisks, indicating hops that did not respond within the timeout. This can point to network congestion or firewall issues.

Gotchas

  • Firewalls: Many routers and hosts are configured to drop ICMP or UDP packets used by traceroute. This can result in asterisks (* * *) appearing in the output, even for hops that are functioning correctly. Using TCP probes (-T) can sometimes circumvent this.
  • Asymmetric Routing: The path packets take to a destination might be different from the path packets take back. traceroute only shows the path from your machine to the destination.
  • Load Balancing: Some routers, especially at higher levels, may employ load balancing across multiple paths. This can cause the IP addresses reported for a specific hop number to vary between different runs of traceroute, or even between probes within the same run if not all probes are sent to the same load balancer.
  • Intermittent Failures: Network conditions can change rapidly. A hop that appears problematic (e.g., high latency, packet loss) on one run might be fine on the next. Running traceroute multiple times can help identify consistent issues.
  • TTL Exceeded vs. Destination Unreachable: traceroute relies on ICMP "Time Exceeded" messages from intermediate routers. When it reaches the destination, it typically receives an ICMP "Destination Unreachable" message (often for a specific port, if using UDP probes). If the destination host or intermediate firewalls block these ICMP messages, traceroute might not be able to determine the full path or confirm arrival.
  • Hostname Resolution Delays: If hostname resolution is slow or fails, the -n flag (numeric output) can significantly speed up the process and isolate network path issues from DNS issues.