Decode the Hidden Information from Traceroute DNS

Jean-François Lévesque
Jean-François Lévesque Last updated on Aug. 25, 2020

Decode the Hidden Information from Traceroute DNS

We have written a series of articles about traceroutes, the most popular tool that network engineers use to troubleshoot network performance.

Decode the Hidden Information from Traceroute DNS
Decode the Hidden Information from Traceroute DNS

Among the network metrics that are packet loss and latency, the hostname of the traceroute hops can give a lot of information about the real path from the source to the destination. There are four pieces of information that can be decoded from the hostnames:

  • ISP operating the router
  • The city where the router is located
  • The router name, number, or unique id
  • The ingress interface or port by which the traceroute packet came on the router

Theoretical example
Theoretical example

Let’s see that with a theoretical example. The traceroute below is between a desktop and a website. The desktop is connected to a switch that is connected to a router (Hop #1). The switch is not present in the traceroute because it’s not a Layer 3 device (learn more at What Are Traceroutes and How Do They Work?).

+---+-------------------------------+-------+-----+------+------+------+------+
| # | Hostname                      | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1                   |   0.0 |   1 |  1.0 |  1.0 |  1.0 |  1.0 |
| 2 | port1.router1.cityA.ispA.com  |   0.0 |   1 |  9.0 |  9.0 |  9.0 |  9.0 |
| 3 | port4.router2.cityB.ispA.com  |   0.0 |   1 | 30.0 | 30.0 | 30.0 | 30.0 |
| 4 | port7.router3.cityB.ispA.com  |   0.0 |   1 | 31.0 | 31.0 | 31.0 | 31.0 |
| 5 | website.com                   |   0.0 |   1 | 32.0 | 32.0 | 32.0 | 32.0 |
+---+-------------------------------+-------+-----+------+------+------+------+
Figure A - Theoretical example

The fun part is the hops #2, #3 and #4. It’s clear with the hostname that they are all three routers of ISP A. Hop #2 is in city A and hop #3 and #4 in City B. The ports and router numbers are clearly identified in the hostnames.

This one was easy. It’s not always the case with real traceroutes but here are some examples and tricks on how to decode the information.

IATA City and Airport Codes
IATA City and Airport Codes

The International Air Transport Association (IATA) has a list of codes to identify a lot of major cities and airports around the world. Some international ISPs use the IATA codes to identify the city where the routers are located.

IATA City Codes
IATA City Codes

+---+-------------------------------+-------+-----+------+------+------+------+
| # | Hostname                      | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------------------+-------+-----+------+------+------+------+
| 1 | 100ge11-1.core2.yyc1.he.net   |   0.0 |   1 |  1.0 |  1.0 |  1.0 |  1.0 |
| 2 | 100ge14-2.core1.yvr1.he.net   |   0.0 |   1 | 31.0 | 31.0 | 31.0 | 31.0 |
| 3 | 100ge10-2.core1.sea1.he.net   |   0.0 |   1 | 30.0 | 30.0 | 30.0 | 30.0 |
| 4 | 100ge15-1.core1.pdx1.he.net   |   0.0 |   1 | 31.0 | 31.0 | 31.0 | 31.0 |
| 5 | 100ge15-2.core1.pao1.he.net   |   0.0 |   1 | 32.0 | 32.0 | 32.0 | 32.0 |
| 6 | 100ge14-1.core3.fmt1.he.net   |   0.0 |   1 | 32.0 | 32.0 | 32.0 | 32.0 |
| 7 | he.net                        |   0.0 |   1 | 32.0 | 32.0 | 32.0 | 32.0 |
+---+-------------------------------+-------+-----+------+------+------+------+
Figure B - HE.net Example

The example above is a traceroute from a Hurricane Electric customer in Calgary, Canada to the he.net website. The hostnames are very clear, the ISP is always he.net. The port number and the router names are very clear but to be honest, it’s not very useful except for the he.net network engineer.

The cities in that example are IATA City Codes:

  • YYC: Calgary, AB, Canada
  • YVR: Vancouver, BC, Canada
  • SEA: Seattle, WA, USA
  • PDX: Portland, OR, USA
  • PAO: Palo Alto, CA, USA
  • FMT: Unknown... But it’s for Fremont, CA, USA where HE.net is hosted.

The rule is not perfect as we can see with FMT, but it makes a traceroute so beautiful that it's okay to cheat if there is no code.

So you might have realized that the latencies are quite weird in that traceroute. It doesn’t mean there is congestion or any network issue, it’s because of MPLS ICMP Tunnelling, which we will cover in another article.

IATA Airport Codes
IATA Airport Codes

+---+----------------------------------------------+-------+-----+------+------+------+------+
| # | Hostname                                     | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+----------------------------------------------+-------+-----+------+------+------+------+
| 1 | gi0-4-1-19.99.agr21.ymq01.atlas.cogentco.com |   0.0 |   1 |  0.5 |  0.5 |  0.5 |  0.5 |
| 2 | te0-0-0-6.ccr22.ymq01.atlas.cogentco.com     |   0.0 |   1 |  0.8 |  0.8 |  0.8 |  0.8 |
| 3 | be2104.ccr22.alb02.atlas.cogentco.com        |   0.0 |   1 |  5.7 |  5.7 |  5.7 |  5.7 |
| 4 | be2916.ccr42.jfk02.atlas.cogentco.com        |   0.0 |   1 |  8.8 |  8.8 |  8.8 |  8.8 |
| 5 | be2807.ccr42.dca01.atlas.cogentco.com        |   0.0 |   1 | 14.5 | 14.5 | 14.5 | 14.5 |
| 6 | be3524.rcr22.iad03.atlas.cogentco.com        |   0.0 |   1 | 15.3 | 15.3 | 15.3 | 15.3 |
| 7 | be2952.agr11.iad03.atlas.cogentco.com        |   0.0 |   1 | 15.4 | 15.4 | 15.4 | 15.4 |
| 8 | cogentco.com                                 |   0.0 |   1 | 14.9 | 14.9 | 14.9 | 14.9 |
+---+----------------------------------------------+-------+-----+------+------+------+------+
Figure C - cogentco.com Example

The example above is a traceroute from a Cogent Communications customer in Montreal, Canada to the cogentco.com website. Instead of using city codes, they are using airport codes.

  • YMQ: Montreal, QC, Canada
  • ALB: Albary, NY, USA
  • JFK: New York, NY, USA
  • DCA: Washington, DC, USA
  • IAD: Washington, DC, USA

In this traceroute, the last hop responded a bit faster than the previous one. This is not unusual since the routers CPUs sending the ICMP TTL Exceeded message are not very fast compared to the server CPU, and the server takes less time to generate the response than the router. But remember, what matters is the time it takes to route the packet, and routers are very good at this.

Japanese Example
Japanese Example

+---+-------------------------------------+-------+-----+-------+-------+-------+-------+
| # | Hostname                            | Loss% | Snt |  Last |   Avg |  Best |  Wrst |
+---+-------------------------------------+-------+-----+-------+-------+-------+-------+
| 1 | ae-7.r02.mdrdsp03.es.bb.gin.ntt.net |   0.0 |   1 |   0.5 |   0.5 |   0.5 |   0.5 |
| 2 | ae-6.r24.londen12.uk.bb.gin.ntt.net |   0.0 |   1 |  25.0 |  25.0 |  25.0 |  25.0 |
| 3 | ae-7.r20.nwrknj03.us.bb.gin.ntt.net |   0.0 |   1 |  95.0 |  95.0 |  95.0 |  95.0 |
| 4 | ae-5.r22.sttlwa01.us.bb.gin.ntt.net |   0.0 |   1 | 151.0 | 151.0 | 151.0 | 151.0 |
| 5 | ae-3.r30.tokyjp05.jp.bb.gin.ntt.net |   0.0 |   1 | 234.0 | 234.0 | 234.0 | 234.0 |
| 6 | ae-2.r03.tokyjp05.jp.bb.gin.ntt.net |   0.0 |   1 | 240.0 | 240.0 | 240.0 | 240.0 |
| 7 | ae-0.ocn.tokyjp05.jp.bb.gin.ntt.net |   0.0 |   1 | 241.0 | 241.0 | 241.0 | 241.0 |
| 8 | ???                                 |   0.0 |   1 |     - |     - |     - |     - |
+---+-------------------------------------+-------+-----+-------+-------+-------+-------+
Figure D - NTT Example

The network engineers at NTT were very explicit in the hostnames. They added the country and a 6 letter string to identify the city and the state. The routers are located at:

  • Madrid, Spain
  • London, England
  • Newark, NJ, USA
  • Seattle, WS, USA
  • Tokyo, Japan

The 100km / 1ms rule of thumb
The 100km / 1ms rule of thumb

To determine if a latency between two cities is normal or optimal, you can use the 100km / 1ms rule of thumb. The rule is not perfect but it’s a good approximation of the latency inside a fiber optic network. This can help you guess what is the city for a specific router if you don’t recognize it easily with the router hostname.

Why is it useful?
Why is it useful?

The information inside the hostname DNS is of course very useful for the network engineers working at ISPs. However, it can also help IT administrators inside enterprises understand why the latency is changing between a source and a destination. For example, a fiber cut between Montreal and New York City will force the traffic to go through Toronto and will add 10ms. With a traceroute history, it’s then easy to identify route changes and explain latency changes.

Next Traceroute Articles
Next Traceroute Articles

This is the end of this first article on traceroutes. The next articles will cover how to analyze traceroutes and which information is the most important.

We hope you enjoyed this article in the traceroute series.

Related Blog Categories:
Traceroutes