Every second, trillions of 1s and 0s pass through fiber optic links, move from continent to continent via undersea cables, and wirelessly bring users around the world the Internet we know and love. But have you ever wondered how exactly these bits of data move from one place to another?
Traceroute, a tool you may already have, can give you some insight by tracing the path between your computer and a target destination. In this article, we'll look at what traceroute is and how it works, learn how to run traceroute on different platforms, and how to read the results of a traceroute.
What is Traceroute?
Traceroute is a simple yet intelligent command-line tool for tracing the path an IP packet follows across one or multiple networks. It was originally developed for UNIX-based platforms, but is now included in most operating systems, with the Windows implementation known as “tracert”. The results of these commands are also often referred to as traceroute.
What is the purpose of Traceroute?
Traceroute is primarily used for diagnostic purposes, but it can be a fun tool to learn about networking or just to satisfy your curiosity. System administrators and network engineers can use traceroute to see how traffic flows within an organization and identify any problematic or suboptimal routes.
Externally, traceroute can show the path of a packet as it traverses many different networks, and in some cases even reveal the different cities or geographic regions through which the traffic passes. Attackers could potentially use traceroute to map a target's network, which is why the types of packets used by traceroute are often blocked or filtered at the perimeter of corporate networks.
Most traceroute processes also display the time it takes to reach each “hop” between the source and the destination. This is extremely useful when looking for the root cause of intermittent traffic or performance issues.
How Traceroute works in five steps
Traceroute is actually a bit of a spoof, exploiting a field in Internet Protocol (IP) packet headers that was never intended for route tracing. The IP standard imposes a Time-to-Live (TTL) value on each IP packet, which acts as a kind of self-destruct mechanism to prevent the endless traffic of undeliverable packets on the Internet. Each router on a path is expected to decrement the TTL value by one before sending the next packet. Once the TTL value reaches zero, the routing process stops and the last router that processed the packet will send back a message “".
Exceeding a TTL value is not desirable for normal data packets, so a typical packet will have a value ranging from 64 to 255. But what would otherwise be a frustrating error message is actually a key part of how traceroute operation. By manipulating the TTL field, traceroute and similar programs can cause TTL exceeded messages from each hop along a given path. So here's how it works:
- The user calls the traceroute (or tracert) command and specifies a target host. If the host is specified in the form of a domain name, traceroute will attempt to resolve it.
- Traceroute sends a data packet to the target with the TTL value set to “1”. The first router in the path will decrement the value by 1, which should cause a TTL exceeded message to be sent back to the computer running the traceroute program.
- With the details of the first hop, traceroute will increase the TTL value to “2”. The first router in the path will still decrement the value by 1, but since the TTL will no longer drop to zero immediately after the start, the packet can continue for one more hop. Once the TTL value is set to zero (in this case, at the second router in the route), another TTL exceeded message should be generated and passed back to the traceroute.
- The process repeats, with traceroute increasing the TTL by 1 each time, until the destination or a maximum number of routes is reached. By default, the upper limit is 30 hops, but a different value can be specified when running the command.
- When it finishes, traceroute prints all the hops in the route, along with the time it took for each hop and the return (this is known as ).
By default, traceroute will send three packets to each hop of the route. The exact packet type differs between implementations and can also be changed with different flags, but the same basic methodology is used in all cases.
How to run a Traceroute process
Traceroute is available on a wide variety of platforms, from consumer operating systems to enterprise routers. There isn't much variation in how traceroute works on these different platforms, but the syntax of the command might be a bit different. Here's how to run traceroute from various popular platforms:
How to Run a Traceroute Process in Windows
Microsoft's implementation of the traceroute tool is slightly different than what you'll find on Mac/Linux/Unix platforms. The most obvious difference is in the command itself: On computers running Windows, you'll use the command “tracert” instead of typing the whole word. Here's a step-by-step guide:
- Open a command prompt. You can do this by typing “command” from the Start menu or by pressing Windows+R and typing “cmd”.
- From the command line, type “tracert” followed by the hostname or IP address you want to trace. To see the route to iguru.gr, for example, we will type “tracert iguru.gr”. The tool should automatically find a domain name in an IP address.
- Wait for the results. You should see the tool start generating results within a few seconds, but scanning the full path may take longer.
How to run a Traceroute process on Linux
Many versions of Linux come with traceroute preinstalled, although some distributions opt for similar tools such as mtr and tracepath. In any case, you can get the “classic” traceroute using the yum (yum install traceroute) or APT (apt-get install traceroute) package managers. From there, the steps aren't much different from Windows:
- Open your terminal.
- Type “traceroute” followed by the hostname or IP address you want to trace.
- Wait for the scan to complete and see the results.
Here is an example of running traceroute from Kali Linux:
How to run a traceroute process on Mac
Running a traceroute on a Mac is practically the same as running it on a Linux platform:
- Open the “Terminal” application.
- Type “traceroute” followed by the hostname or IP address you want to trace.
- Wait for the scan to complete and check the results.
You may notice that some of the defaults are a bit different: a maximum of 64 hops, for example, instead of 30. You can easily change these settings using the command line flags. Just check the official traceroute documentation using the “man traceroute” command.
How to read traceroute results
Now that we know a little more about how traceroute works, it's time to start using it! If you've never used traceroute before, things can seem a bit overwhelming at first. Once you learn how to read traceroute output though, you can quickly understand how the program actually works.
Each line of traceroute results represents a “hop” in the path to a specific destination. These hops can be listed as either an IP address or a hostname. traceroute will attempt to resolve the IP address of each hop to a hostname and display it if possible. The list starts with the router closest to your computer and ends at either the destination or the last point the traceroute reached before reaching a maximum number of hops. To the right of each entry is a series of times measured in milliseconds (ms). This is the route time, or the time it took for traceroute packets to reach that hop and receive a response.
You may notice that one or more lines of the traceroute output are listed only with an asterisk (*). This means that the program did not receive any response from the router at that hop. Some organizations choose to block or drop the type of packets that traceroute relies on, either by blocking them with a firewall or by configuring routers to drop the packets instead of responding. Traceroute traffic is also considered low-priority, so a busy router can process standard data packets instead of responding to the traceroute request.
When dealing with hostnames, it is sometimes more useful to start on the right and work your way to the left. Using this tactic, we can Google “m247” to discover that it is a UK-based service provider with locations around the world. We can also deduce that this particular router is located in the US, specifically in the Miami, Florida area, by looking at the two elements of the hostname immediately to the left of m247.com. Note the three-letter abbreviation “mia”. Although there is no requirement to do so, many companies mark the geographic location of routers using the International Air Transport Association (IATA) three-letter airport codes. The last two parts of the hostname detail the router's location on the service provider's network, with “as06” likely short for the autonomous system number and “vlan156” referring to the VLAN they were found to be traveling through our packages.
What is the difference between ping and traceroute?
Ping and traceroute are both network diagnostic tools, but traceroute is a bit more complicated. Ping will test connectivity between two hosts, but it does not give information about the path between those two hosts. traceroute, on the other hand, shows all intermediate hops between source and destination. This can be useful during episodes of intermittent connectivity, for example if only 50% of pings between two points are successful.
Are Tracert and Traceroute the same?
Tracert and Traceroute perform almost identical functions, but the underlying code between the two tools is different. Tracert was created by Microsoft for Windows operating systems, while the older traceroute is for Unix-based systems. There are slight differences in the default parameters between the two tools, such as the type of packages used.
What about the MTR, Tracepath, Paris Traceroute, etc.?
The original traceroute tool, which dates back to 1987, is not always able to produce accurate results. Load balancing, network address translation (NAT), firewalls, and other factors can lead to inaccurate or incomplete results. Some similar tools, such as mtr and Paris Traceroute, implement the same basic idea as traceroute, but try to address the weaknesses of the classic tool by various means. Some tools have also tried to improve their configuration over the original.
I want to trace an IPv6 route! What can I do;
The traceroute6 and tracert6 commands provide the same functionality as traceroute, but for IPv6 networks. Many of the similar tools also have support for IPv6.
Now you understand a little more about how traceroute works. It may not be as exciting a topic as theor vulnerabilities , but it can be a fun tool to help you understand the flow of data through networks.