Table of Contents
Table of Contents
We have written a series of articles about traceroutes, the most popular tool that network engineers use to troubleshoot network performance.
This article explains the different reasons why a single router can drop traceroute packets or have higher latencies and why it’s normal. First, let’s take a look at this example:
+---+-------------------+-------+-----+------+------+------+------+ | # | Hostname | Loss% | Snt | Last | Avg | Best | Wrst | +---+-------------------+-------+-----+------+------+------+------+ | 1 | 192.168.1.1 | 90.0 | 10 | 1.0 | 1.6 | 0.5 | 3.9 | | 2 | router1.ispA.com | 0.0 | 10 | 5.0 | 5.6 | 4.5 | 7.9 | | 3 | router2.ispB.com | 0.0 | 10 | 10.0 | 10.6 | 9.5 | 15.9 | | 4 | router3.ispC.com | 50.0 | 10 | 62.0 | 62.6 | 31.5 | 72.9 | | 5 | ??? | 100.0 | 10 | - | - | - | - | | 6 | router5.ispC.com | 20.0 | 10 | 14.0 | 14.6 | 13.5 | 21.9 | | 7 | router6.ispC.com | 0.0 | 10 | 15.0 | 15.6 | 14.5 | 29.9 | | 8 | website.com | 0.0 | 10 | 16.0 | 16.6 | 15.5 | 39.9 | +---+-------------------+-------+-----+------+------+------+------+ Figure A
In this example, hops #1, #4, #5 and #6 are dropping packets. As explained in the previous article How To Identify Network Issues with Traceroutes?, the general rule of thumb when checking packet loss is that if the packet loss doesn’t continue with the following hops, then it’s not a network issue.
So in this example, everything runs smoothly between the source and the destination. Let’s see why some hops have packet loss and why hop #4 has higher latencies.
A traceroute will report packet loss if:
- The packet from the source never reached the router, so a response cannot be sent;
- The packet from the source is received by the router but the response is lost on the reverse path;
- The packet from the source is received by the router but it decided not to respond with an “ICMP TTL Exceeded” message.
Obviously, reasons A and B correspond to standard packet loss between the source and the router either in the forward path (source to router) or on the reverse path (router to source).
Reason C is special because of something called Rate Limiting. Some routers, but not all of them, have interval rules to limit the number of ICMP TTL Exceeded messages that are sent by the router. Usually, the rule is there to protect the router CPU (Central Processing Units). Sometimes it is configurable, while other times it is not. In some cases, routers never respond with the ICMP messages, as we see in Figure A with hop #5.
A lot of small offices and home routers/firewalls are configured with a rate-limit of 1pps (packet per second) and there is nothing you can do to change that.
One way to detect if the drops are related to rate limiting is by changing the rate of the traceroute packets sent by the source.
If by sending at 1pps (1 packet per second) you don’t see drops, but when you increase the rate to 5pps (5 packets per second or 1 packet every 0.2 second), you see drops on some hops, this usually indicates that there is a rate limiting rule. For example, an 80% packet loss rate at 5pps can suggest a 1pps rate limiting configuration.
ISP routers are complex systems with a lot of components such as CPUs, NPUs (Network Processing Units), ASICs (Application Specific Integrated Circuits) and FPGAs (Field Programmable Gate Arrays). The main purpose of a router is to route packets and to maintain routing protocols to make sure the routing table is always up to date.
Responding to traceroute packets with ICMP TTL Exceeded messages is not their top priority. This is why some responses may be dropped if the CPU is doing something else, or it can be delayed if some other important processes are using the CPU when a response needs to be sent.
In that case, an increase of the latency is possible, as shown on hop #4 of Figure A. Since the latency increase is not propagated at every hop after hop #4, there is no network issue.
For some reasons, some networks are configured to block ICMP traffic. This is not something we recommend, but when it happens, the ICMP TTL Exceeded messages are dropped by a firewall and the traceroute will not work at all.
And just a quick note to all network administrators, if you block all ICMP traffic, never do that with IPv6. IPv6 uses ICMP to replace ARP and if you block ICMP, you will also block ICMPv6 NDP (Neighbor Discovery Protocol), which will completely block IPv6 connectivity.
Leverage Obkio Vision to monitor, detect and troubleshoot network problems with visual traceroutes, IP route historic and graphical network maps.Try for Free
This is the end of this article on traceroutes. The next articles will cover how to analyze traceroutes and which information is the most important.
We hope you enjoyed this article in the traceroute series. You can also download our free complete guide to traceroutes for catch up on whole traceroute series in one document!
Download Obkio's free Complete Guide to Traceroutes to learn to identify network problems with the most popular network troubleshooting tool for IT Pros.Download Now
- What is a Traceroute and How Do Traceroutes Work?
- How To Identify Network Issues with Traceroutes?
- Why Do Some Routers Drop Packets or Have High Latencies? (this article)
- Decode the Hidden Information from Traceroute DNS
- Internet Traffic is Asymmetrical - How to Catch Reverse Path Issues?
- How to Share a Traceroute With an ISP NOC?
- Impact of Load Balancing or Multiple Paths on Traceroutes
- MPLS Networks, TTL Propagation and ICMP Tunneling