How does Traceroute work?



Traceroute finds which network devices are involved in sending messages from the source host to the destination host.

Routes are not necessarily bi-directional.


Traceroute can be explained in three main steps below.

1- Traceroute starts by sending 3 UDP packets with a TTL set to 1, towards the destination. Each UDP packet gets an ICMP reply with a Time-to-live  exceeded message. The key thing is that the IPv4 Source field is now filled with an IP address ( – line 2 in the packet capture). This means is now our first hop.

2- Sw1 then sends another 3 UDP packets to the destination with a TTL of 2. So the packet goes past the first hop (Sw3), gets to the second hop (Sw4), and another 3 ICMP TTL exceeded messages are sent back with the source IP field filled in ( – line 8 in the packet capture). This means is our second hop.

3- Sw1 then sends another 3 UDP packets to the destination with a TTL of 3. This time it actually reaches the destination, and we get an ICMP – Destination unreachable (Port unreachable) message back. Because we can actually reach the destination (at layer 3) and the TTL has not been exceeded, it now tries to reach the destination port (layer 4).

This verifies that this is the final hop, and a TTL of 3 meant the destination was 3 hops away. It doesn’t matter that the port was unreachable, it was simply a test to get that port unreachable message back so that we know we moved up the OSI stack to layer 4, which verifies layer 3 is reachable.

The last thing is that traceroute always starts at port 33434 and increments by 1 each time a UDP packet is sent. You can see this in thepacket capture. The first line shows the destination port is traceroute (which is 33434). The next red line shows 33435, then 33436 and so on.


Type escape sequence to abort.
Tracing the route to

  1 0 msec 0 msec 9 msec
  2 0 msec 0 msec 0 msec
  3 8 msec *  0 msec

Traceroute Capture.pcap 1.4 kb · 17 packets

When you execute a traceroute command (ie traceroute, your machine sends out 3 UDP packets with a TTL (Time-to-Live) of 1. 

When those packets reach the next hop router, it will decrease the TTL to 0 and thus reject the packet.  It will send an ICMP Time-to-Live Exceeded (Type 11), TTL equal 0 during transit (Code 0) back to your machine – with a source address of itself, therefore you now know the address of the first router in the path.

Next your machine will send 3 UDP packets with a TTL of 2, thus the first router that you already know passes the packets on to the next router after reducing the TTL by 1 to 1.

The next router decreases the TTL to 0, thus rejecting the packet and sending the same ICMP Time-to-Live Exceeded with its address as the source back to your machine.  Thus you now know the first 2 routers in the path.

This keeps going until you reach the destination.  Since you are sending UDP packets with the destination address of the host you are concerned with, once it gets to the destination the UDP packet is wanting to connect to the port that you have sent as the destination port, since it is an uncommon port, it will most like be rejected with an ICMP Destination Unreachable (Type 3), Port Unreachable (Code 3).

This ICMP message is sent back to your machine, which will understand this as being the last hop, therefore traceroute will exit, giving you the hops between you and the destination.

The UDP packet is sent on a high port, destined to another high port.  On a Linux box, these ports were not the same, although usually in the 33000.  The source port stayed the same throughout the session, however the destination port was increase by one for each packet sent out.

One note, traceroute actually sends 1 UDP packet of TTL, waits for the return ICMP message, sends the second UDP packet, waits, sends the third, waits, etc, etc, etc.

If during the session, you receive * ******* *, this could mean that that router in the path does not return ICMP messages, it returns messages with a TTL too small to reach your machine or a router with buggy software.

After a * * * within the path, traceroute will still increment the TTL by 1, thus still continuing on in the path determination.




diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
route is recorded as the round-trip times of the packets received from each successive host (remote node) in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection.

In Linux, traceroute by default sends a sequence of User Datagram Protocol (UDP) packets addressed to a destination host; ICMP Echo Request or TCP SYN packets can also be used.

In Windows, traceroute sends ICMP echo requests instead of UDP packets.

The time-to-live (TTL) value, also known as hop limit, is used in determining the intermediate routers being traversed towards the destination. Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded.[3] Common default values for TTL are 128 (Windows OS) and 64 (Unix-based OS).

Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value of one.
The first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero. The router sends an ICMP Time Exceeded message back to the source.
The next set of packets are given a TTL value of two, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded.
Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to build a list of routers that packets traverse, until the destination is reached and returns an ICMP Echo Reply message.

On Unix-like operating systems, the traceroute utility uses User Datagram Protocol (UDP) datagrams by default, with destination port numbers ranging from  PORT 33434 to 33534.

$ traceroute -w 3 -q 1 -m 16
In the example above, selected options are to wait for three seconds (instead of five), send out only one query to each hop (instead of three), limit the maximum number of hops to 16 before giving up (instead of 30),