The traceroute command is used to trace the exact routing hops and the path that the packets take to the remote destination. This command’s purpose is to test and display the communication link between a source host and a destination host or network.
We will dive into traceroute command today to see how it works.
Table of Contents
How Traceroute works?
Traceroute allows us to identify the route that datagrams are taking on their way to a remote device. This is achieved by sending a series of packets with incrementally larger Time-to-Live values, and then monitoring for ICMP Time Exceeded error messages as the packets expire on the way to the destination system.
The traceroute command uses UDP datagrams by default. We will discuss more details later.
Traceroute is the Linux/macOS version. Tracert is the Windows version.
Example of Traceroute
We can run the following command to trace the path to ip 172.217.175.46.
traceroute 172.217.175.46
This is the output of this command.
traceroute to 172.217.175.46 (172.217.175.46), 30 hops max, 60 byte packets
1 10.254.222.3 (10.254.222.3) 42.036 ms 42.003 ms 10.254.222.2 (10.254.222.2) 0.663 ms
2 114.29.216.178 (114.29.216.178) 0.670 ms 114.29.216.179 (114.29.216.179) 0.690 ms 114.29.216.178 (114.29.216.178) 0.681 ms
3 114.29.221.84 (114.29.221.84) 0.691 ms 0.777 ms 114.29.221.80 (114.29.221.80) 0.820 ms
4 nrt02-wxbb-crt01-bu112.test.com (114.29.221.70) 1.082 ms nrt02-wxbb-crt01-te0-6-0-2.test.com (114.29.221.10) 1.228 ms nrt02-wxbb-crt01-bu112.test.com (114.29.221.70) 1.066 ms
5 210.173.176.245 (210.173.176.245) 5.700 ms 210.173.176.243 (210.173.176.243) 1.134 ms 210.173.176.245 (210.173.176.245) 5.665 ms
6 108.170.242.161 (108.170.242.161) 1.623 ms 1.497 ms 108.170.242.193 (108.170.242.193) 2.573 ms
7 172.253.66.203 (172.253.66.203) 4.417 ms 4.516 ms 4.507 ms
8 nrt20s19-in-f14.1e100.net (172.217.175.46) 1.461 ms 1.423 ms 1.455 ms
From each line, there are three parts- hop number, ip address, RTT. If ICMP unreachables are disabled on an interface along the path, that hop would be shown as a *.
- Hop Number – This is the first column and is simply the number of the hop along the route.
- Domain/IP column – The last column has the IP address of the router.
- RTT Columns – The next three columns display the round trip time (RTT) for your packet to reach that point and return to your computer. This is listed in milliseconds. There are three columns because the traceroute sends three separate signal packets. This is to display consistency, or a lack thereof, in the route.
Capture Traceroute Packets with tcpdump
We can use the following tcpdump command to capture all the packets we send and receive after we run traceroute command.
# tcpdump -i any icmp or \( udp and host 172.217.175.46\) -nnn
From the packets, we can see that this command use UDP protocol.
12:10:52.385871 IP 10.254.222.37.33772 > 172.217.175.46.33434: UDP, length 32
12:10:52.385909 IP 10.254.222.37.48620 > 172.217.175.46.33435: UDP, length 32
12:10:52.385926 IP 10.254.222.37.39009 > 172.217.175.46.33436: UDP, length 32
12:10:52.385940 IP 10.254.222.37.47146 > 172.217.175.46.33437: UDP, length 32
12:10:52.385956 IP 10.254.222.37.36447 > 172.217.175.46.33438: UDP, length 32
12:10:52.385971 IP 10.254.222.37.35539 > 172.217.175.46.33439: UDP,
The traceroute command attempts to trace the route an IP packet follows to an Internet host by launching UDP probe packets with a time-to-live. Looks like these message are same but actually they are not. They are with different ttl.
12:10:52.386585 IP 10.254.222.2 > 10.254.222.37: ICMP time exceeded in-transit, length 36
12:10:52.386607 IP 114.29.216.178 > 10.254.222.37: ICMP time exceeded in-transit, length 36
12:10:52.386642 IP 114.29.216.179 > 10.254.222.37: ICMP time exceeded in-transit, length 36
12:10:52.386648 IP 114.29.216.178 > 10.254.222.37: ICMP time exceeded in-transit, length 36
Listening for an ICMP TIME_EXCEEDED response from gateways along the way.Probes are started with a Max_ttl value of one hop, which is increased one hop at a time
12:10:52.388436 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33456 unreachable, length 36
12:10:52.388445 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33455 unreachable, length 36
12:10:52.388698 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33458 unreachable, length 36
12:10:52.388706 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33459 unreachable, length 36
12:10:52.388709 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33457 unreachable, length 36
12:10:52.388711 IP 172.217.175.46 > 10.254.222.37: ICMP 172.217.175.46 udp port 33460 unreachable, length 36
The ICMP PORT_UNREACHABLE message indicates that the host has been located.
Different Approach of Traceroute
Most traceroute use UDP and a destination port from the 33434 to 33534 range for the probe packets by default. We can change it with with option.
proto
Send packets of specified IP protocol. The currently supported protocols are: UDP , TCP , GRE and ICMP Other protocols may also be specified (either by name or by number)
Timeouts at Traceroute report
Timeouts at the end may occur for a number of reasons. Not all of them indicate an issue, however:
- The target’s firewall may be blocking requests. The target is still most probably reachable with other TCP or UDP request, however. This should not affect normal connection.
- The return path may have an issue from the destination point. This would mean the signal is still reaching, but just not getting the return signal back to our local client. This should not affect normal connection.
- Possible connection problem at the target. This will affect the connection.