What are Traceroutes and How Do Traceroutes Work?

If you've ever wondered why your Internet connection seems slow or experiencing connection problems with a website, you might have heard of a tool called "traceroute." But what is a traceroute, and how does it work? In this article, we'll be giving a quick and simple introduction to what are traceroutes, and how traceroutes work to help identify and troubleshoot network problems.

Traceroute is the most popular tool that network engineers use to troubleshoot networks. Traceroutes allow you to trace the route taken by packets of data from your computer to a destination on the Internet. By identifying each hop along the way, traceroute can help pinpoint where a connection issue may be occurring.

Traceroutes were invented in 1987 and are still highly relevant in today's world of network monitoring tools and network troubleshooting tools.

We've written a series of articles about traceroutes, the most popular tool that network engineers use to troubleshoot network performance.

• What are Traceroutes and How Do Traceroutes Work? (this article)
• How To Identify Network Issues with Traceroutes?
• Why Do Some Routers Drop Packets or Have High Latencies?
• Decode the Hidden Information from Traceroute DNS
• Internet Traffic is Asymmetrical - How to Catch Reverse Path Issues?
• How to Share a Traceroute With an ISP NOC?
• Impact of Load Balancing or Multiple Paths on Traceroutes
• MPLS Networks, TTL Propagation and ICMP Tunneling

Now, what does traceroute do? As its name suggests, the main purpose of a traceroute is to trace the IP route from a source to a destination inside an IP network. A network traceroute shows the user the routers but also the round-trip latency from the source to each of the routers.

Traceroute commands are available on almost any host. On Windows, there is the tracert.exe command and on Linux and MacOS it’s the traceroute command. There are other free and commercial software that do traceroutes such as the Obkio Monitoring Agent. Here is an example from Obkio Live Traceroute feature:

+---+-------------------+-------+-----+------+------+------+------+
| # | Hostname          | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1       |   0.0 |  20 |  4.3 |  1.5 |  0.4 |  4.3 |
| 2 | router1.ispA.com  |   0.0 |  20 |  6.8 | 15.4 |  6.8 | 35.9 |
| 3 | router2.ispB.com  |   0.0 |  20 | 12.3 | 13.7 |  8.4 | 28.1 |
| 4 | router3.ispC.com  |   0.0 |  20 | 11.3 | 13.8 |  9.0 | 38.4 |
| 5 | website.com       |   0.0 |  20 | 12.8 | 16.1 | 10.4 | 38.4 |
+---+-------------------+-------+-----+------+------+------+------+

It's important to understand that traceroutes will only trace Layer 3 IP Routers or Hosts. If there is a switch or wifi access point between two routers, a traceroute will not show them even if they have a management IP to access them. A switch with Layer 3 / IP routing features will appear only if it is routing the packets.

Learn everything you need to know about what is a traceroute, how traceroutes work, how to read a traceroute, and how they help network engineers troubleshoot network issues in our free complete guide to traceroutes! Download the guide to take it access it anytime, anywhere.

Now that we've discussed what traceroutes are, let's go over what traceroutes are actually used for in the world of networking.

1. Troubleshooting Network Issues: Traceroutes are commonly used by network administrators and technicians to identify where network issues are occurring. By tracing the path of data packets, they can identify which network node is causing packet loss, latency, or other issues.
2. Identifying Internet Service Provider (ISP) Issues: If you're experiencing slow internet speeds or connection issues, a traceroute can help determine if the issue is with your ISP or with the website or service you're trying to connect to.
3. Verifying Routing: Traceroutes can be used to verify that data packets are taking the correct route through a network, ensuring that they're passing through the necessary security and performance checks.
4. Investigating Cyberattacks: Traceroutes can be used to track the path of a cyberattack, helping to identify the source and potentially prevent future attacks.
5. Testing Network Performance: Traceroutes can be used to measure network performance, such as latency and packet loss, allowing you to optimize your network for better performance.

Stop looking for the perfect Traceroute tool - Obkio Vision is right here!

Obkio Vision is a free visual traceroute tool and IP route historic monitor that runs continuously to interpret Traceroute results for you and help troubleshoot network problems (in your WAN and over the Internet) faster and easier than ever.

Some of Obkio Vision’s next-generation features include:

1. The Quality Matrix: Monitor multiple network destinations during a span of 3 hours. IP addresses can be used as destinations such as SaaS Websites, VoIP Providers, Network devices, etc.
2. Network Map: Get a visual representation of each network path to their destinations. Each router displays its own Quality Score to help pinpoint where network issues are located.
3. Traceroutes: Measure hop-by-hop core network metrics like packet loss, latency and jitter with wide time ranges (from 5 minutes to 3 hours).

Download Obkio Vision for Free or use it with Obkio's Complete Network Performance Monitoring Tool.

Obkio Vision: Visual Traceroute Tool

Leverage Obkio Vision to monitor, detect and troubleshoot network problems with visual traceroutes, IP route historic and graphical network maps.

Try for Free

Traceroutes are an advanced tool, but here is a brief explanation of how traceroutes work.

Traceroutes work by sending out a series of packets with increasing Time To Live (TTL) values, which essentially act as a countdown timer for how long a packet can stay in the network before it's discarded. As each packet reaches a network node, it's discarded and the node sends an ICMP "time exceeded" message back to the sender, indicating that the packet has reached its TTL limit.

In the IP Header, there is an 8-bit field called Time-to-live (TTL) that goes from 0 to 255. The value of the TTL is decremented by 1 each time a packet is routed by a router. When the TTL value is 0, the packet is discarded and an ICMP TTL Exceeded message might be sent back to the source of the packet.

The main objective of the TTL field is not to trace a route but to discard packets if there is a routing loop in a network. So if there is a loop, since each router decrements the TTL value, at one point, it goes to 0 and gets discarded.

So the traceroute software uses the TTL to discover the routers between a source and a destination.

By receiving and analyzing these messages from each node, a traceroute can map out the path that the data takes to reach its destination. This information can be invaluable for diagnosing network issues, such as identifying where packet loss or latency may be occurring.

You can follow along with the picture above to get a better understanding.

1. Firstly, the Source (Src) sends a packet with TTL=1.
2. The Router decrements the TTL by 1, which changes the value to 0. The packet is dropped and the router sends an ICMP TTL Exceeded message. The destination IP address for the ICMP message equals the source IP address of the discarded packet. The source IP address of the discarded packet is the IP address of the interface on which the packet was received.
3. The Source receives the "ICMP TTL Exceeded" message and adds the router IP to the Traceroute hops table.
4. Then the process starts over again with TTL=2.
5. The packet is routed through the first Router (R1), which also decrements the packet value.
6. The second Router (R2) receives the packet, decrements the TTL, discards the packet and sends the "ICMP TTL Exceeded" message.
7. And it continues like this by incrementing the TTL by 1 until it reaches its destination.

The latency measured for each router in the trace is the time difference between when the message is sent and when the TTL exceeded message is received.

It's important to note that there is no obligation for the router to send that ICMP TTL Exceeded message. So if a router never sends the message, it will not be discovered in the traceroute, but since it is still decrementing the TTL value, it will count as an unknown hop in the trace. Here is an example with hop #3 not sending ICMP TTL Exceeded packets:

+---+-------------------+-------+-----+------+------+------+------+
| # | Hostname          | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1       |   0.0 |  20 |  4.3 |  1.5 |  0.4 |  4.3 |
| 2 | router1.ispA.com  |   0.0 |  20 |  6.8 | 15.4 |  6.8 | 35.9 |
| 3 | ???               | 100.0 |  20 |    - |    - |    - |    - |
| 4 | router3.ispC.com  |   0.0 |  20 | 11.3 | 13.8 |  9.0 | 38.4 |
| 5 | website.com       |   0.0 |  20 | 12.8 | 16.1 | 10.4 | 38.4 |
+---+-------------------+-------+-----+------+------+------+------+

When looking at a traceroute, there are usually two important values for each hop or router: latency and packet loss..

Let’s take a look at this traceroute from the Obkio Live Traceroute feature:

+---+-------------------+-------+-----+------+------+------+------+
| # | Hostname          | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1       |   0.0 |  10 |  1.0 |  1.6 |  0.5 |  3.9 |
| 2 | router1.ispA.com  |  10.0 |  10 |  5.0 |  5.6 |  4.5 |  7.9 |
| 3 | router2.ispB.com  |   0.0 |  10 | 10.0 | 10.6 |  9.5 | 15.9 |
| 4 | router3.ispC.com  |   0.0 |  10 | 12.0 | 12.6 | 11.5 | 22.9 |
| 5 | router4.ispC.com  |   0.0 |  10 | 13.0 | 13.6 | 12.5 | 23.9 |
| 6 | router5.ispC.com  |   0.0 |  10 | 14.0 | 14.6 | 13.5 | 21.9 |
| 7 | router6.ispC.com  |   0.0 |  10 | 15.0 | 15.6 | 14.5 | 29.9 |
| 8 | website.com       |   0.0 |  10 | 16.0 | 16.6 | 15.5 | 39.9 |
+---+-------------------+-------+-----+------+------+------+------+
Figure A

1. Latency is the round-trip latency calculated by the source. It refers to the time it takes from when a packet was sent to when a response was received. In the table above, we have 10 latency values because 10 packets have been sent (column Snt). The last packet latency is Last, the average latency is Avg, the best and worst are the two last columns.
2. Packet Loss simply refers to the percentage of sent packets which never received a response out of the total number of sent packets. In this example, packet loss of 10% at hop 2 is quite significant. However, the first thing to look at is the number of packets that have been sent (Snt column).

In this case, we lost 1 packet out of the 10 that were sent, resulting in a packet loss rate of 10%. So 10% packet loss is a lot but out of 10 packets, it’s not very significant. Out of 1,000 or 10,000 packets, it would be another story. Traceroute tools often have a configuration option to change the number of packets that are sent and the interval at which they are sent.

The rule of thumb when looking at a traceroute is very simple:

If the packet loss doesn't continue, don’t panic, it’s not an issue!

+---+-------------------+-------+-----+------+------+------+------+
| # | Hostname          | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1       |   0.0 |  10 |  1.0 |  1.6 |  0.5 |  3.9 |
| 2 | router1.ispA.com  |  50.0 |  10 |  5.0 |  5.6 |  4.5 |  7.9 |
| 3 | router2.ispB.com  |   0.0 |  10 | 10.0 | 10.6 |  9.5 | 15.9 |
| 4 | router3.ispC.com  |   0.0 |  10 | 12.0 | 12.6 | 11.5 | 22.9 |
| 5 | router4.ispC.com  |   0.0 |  10 | 13.0 | 13.6 | 12.5 | 23.9 |
| 6 | router5.ispC.com  |   0.0 |  10 | 14.0 | 14.6 | 13.5 | 21.9 |
| 7 | router6.ispC.com  |   0.0 |  10 | 15.0 | 15.6 | 14.5 | 29.9 |
| 8 | website.com       |   0.0 |  10 | 16.0 | 16.6 | 15.5 | 39.9 |
+---+-------------------+-------+-----+------+------+------+------+
Figure B

In Figure B: 50% packet loss over a connection is terrible and makes it almost unusable. So are there any issues with this new traceroute example? Let’s apply the rule of thumb and figure it out.

• Does the 50% packet loss continue in the traceroute?
• Does every hop report that same 50% that we see with hop #2?

The answer is no, otherwise we would see packet loss with hops #3 through #8.

Should we panic and call our ISP to tell them we have packet loss on the path? No! Does it mean there is an issue with that router? No! It only tells us that hop #2 is responding to 50% of the packet or that 50% of the “ICMP TTL Exceeded” message returns to the source.

A deep dive on why we have packet loss with that hop is covered in Why Do Some Routers Drop Packets or Have High Latencies?.

Why Do Some Routers Drop Packets or Have High Latencies?

Find out why single routers can drop traceroute packets or have higher latencies and why that’s normal.

Learn more

Looking at the example above, is the latency good? Is it normal? With only this traceroute and no more information, we don’t know.

The latency between two hops can be affected by a number of things such as:

• the distance between them
• the medium connecting them (fiber optic, coax cable, copper lines, wireless, etc.)
• the technology used (cable Docsis, DSL, GPON, dedicated fiber, etc.)
• the configuration on the routers such as traffic shaping
• the network condition such as congestion

So to understand if the latency in a traceroute as good or bad, we need to know more information about the path. That information can come from our experience or knowledge of the path and routers, but the best one comes from historical traceroutes.

By comparing the latency over time, it’s much easier to know if the latency we are looking at is normal or not. Of course, a network performance monitoring solution such as Obkio has historical traceroute features that can help with that.

Here is another example similar to Figure B. We have the same path from the source to the destination but the packet loss and the latency values are different.

+---+-------------------+-------+-----+------+------+------+------+
| # | Hostname          | Loss% | Snt | Last |  Avg | Best | Wrst |
+---+-------------------+-------+-----+------+------+------+------+
| 1 | 192.168.1.1       |   0.0 |  10 |  1.0 |  1.6 |  0.5 |  3.9 |
| 2 | router1.ispA.com  |  50.0 |  10 | 50.0 | 55.6 | 33.5 | 77.9 |
| 3 | router2.ispB.com  |  50.0 |  10 | 52.0 | 54.6 |  9.5 | 56.9 |
| 4 | router3.ispC.com  |  50.0 |  10 | 54.0 | 53.6 | 32.5 | 66.9 |
| 5 | router4.ispC.com  |  50.0 |  10 | 55.0 | 55.6 | 44.5 | 72.9 |
| 6 | router5.ispC.com  |  50.0 |  10 | 53.0 | 52.6 | 21.5 | 58.9 |
| 7 | router6.ispC.com  |  50.0 |  10 | 52.0 | 56.6 | 29.5 | 99.9 |
| 8 | website.com       |  50.0 |  10 | 56.0 | 55.6 | 43.5 | 87.9 |
+---+-------------------+-------+-----+------+------+------+------+
Figure C

Does the packet loss continue after it started? Oh yes! In this case, we see 50% packet loss increase between hop #1 and hop #2 and it continues all the way to the last hop. So in this case, there are chances that there is indeed some packet loss between hop #1 and #2.

Be careful, Internet traffic is asymmetrical so the issue can be on the reverse path! This topic is covered in Internet Traffic is Asymmetrical - How to Catch Reverse Path Issues?.

So if there is packet loss with routers at ISP A, ISP B and ISP C, maybe we should call all of them and tell them they have 50% packet loss on their routers… or maybe post that on social media... or maybe not… We should focus on where the packet loss starts and where it is between hop #1 and hop #2.

Let’s take a look at the other network metric in this traceroute: latency.

By comparing Figure B and C, it’s clear that there is an increase in the latency values, and it all starts between hop #1 and #2, just like the packet loss. In this case, with an increase of packet loss and an increase of latency, it looks like network congestion.

Since Hop #1 (192.168.1.1) is the business’ firewall and Hop #2 (router1.ispA.com) is the ISP A router, the congestion is probably on the business Internet connection. By looking at the bandwidth usage on the firewall, the IT administrator of the business can easily validate if there is congestion. A solution such as Obkio’s Network Device Monitoring solution is able to get that info.

In the case where there is no congestion, a trouble ticket can be opened with ISP A to troubleshoot the network issues and the traceroute must be shared with them to accelerate the troubleshooting.

Traceroutes are a powerful tool for diagnosing network issues, and can help identify potential problem areas along the path of data packets. Above, we explained how traceroutes work, how to run traceroutes, and how to interpet traceroute results. You can now use all the information you received to troubleshoot network issues.

P.S. We talk more in detail about troubleshooting with Obkio's free traceroute tool in our article on How to Troubleshoot Networks with Obkio Vision Visual Traceroute

How to Troubleshoot Networks with Vision Visual Traceroute

Learn how to use Obkio Vision’s Visual Traceroute tool to troubleshoot network problems with traceroutes both inside & outside your local network.

Learn more

When troubleshooting network issues with traceroutes, there are a few key steps to follow:

1. Identify the source of the issue: Use traceroutes to identify where along the path of data packets the issue is occurring. This can help you determine if the issue is with your local network, your ISP, or with the website or service you're trying to connect to.
2. Work with your ISP: If you're experiencing issues with your ISP, traceroutes can help you pinpoint where the issue is occurring and work with your ISP to resolve it. By providing your ISP with the results of your traceroute, they can identify any issues on their network and work to fix them. Use other network diagnostic tools: While traceroutes are a valuable tool for troubleshooting network issues, they shouldn't be the only tool in your arsenal. Other network diagnostic tools, such as ping and pathping, can also provide valuable information on network performance and potential issues.
3. Identify potential bottlenecks: When analyzing traceroute results, look for areas where data packets are taking longer to travel between network nodes. These areas may be potential bottlenecks, and may require further investigation to determine the cause of the latency.

By following these steps and using traceroutes in conjunction with other network diagnostic tools, like Obkio Network Performance Monitoring you can quickly and effectively troubleshoot network issues and improve network performance.

In conclusion, traceroutes are a powerful tool for diagnosing and troubleshooting network issues. By sending packets of data with increasing TTL values, traceroutes allow you to trace the path of data packets through a network, identifying potential problem areas, verifying routing, and measuring network performance.

Traceroutes are commonly used by network administrators and technicians to troubleshoot network issues, identify ISP issues, investigate cyberattacks, and test network performance. By following best practices for performing and interpreting traceroutes, and using them in conjunction with other network diagnostic tools, you can quickly and effectively diagnose and resolve network issues, improving network performance and ensuring that your network is operating at peak efficiency.

You can start using Traceroutes for yourself! Download Obkio Vision for Free or use it with Obkio's Complete Network Performance Monitoring Tool.

Obkio Vision: Visual Traceroute Tool

Leverage Obkio Vision to monitor, detect and troubleshoot network problems with visual traceroutes, IP route historic and graphical network maps.

Try for Free

This is the end of this first article on traceroutes. Now that you know how traceroutes work, the next articles will cover how to analyze traceroutes, how to read a traceroute, and which information is the most important.

We hope you enjoyed this article in the traceroute series.

• What is a Traceroute and How Do Traceroutes Work? (this article)
• How To Identify Network Issues with Traceroutes?
• Why Do Some Routers Drop Packets or Have High Latencies?
• Decode the Hidden Information from Traceroute DNS
• Internet Traffic is Asymmetrical - How to Catch Reverse Path Issues?
• How to Share a Traceroute With an ISP NOC?
• Impact of Load Balancing or Multiple Paths on Traceroutes
• MPLS Networks, TTL Propagation and ICMP Tunneling