Understanding Traceroute Command with Examples

Table of Contents

The traceroute command is used to trace the exact routing hops and the path that the packets take to the remote destination. This command’s purpose is to test and display the communication link between a source host and a destination host or network.

We will dive into traceroute command today to see how it works.

How Traceroute works?

Traceroute allows us to identify the route that datagrams are taking on their way to a remote device. This is achieved by sending a series of packets with incrementally larger Time-to-Live values, and then monitoring for ICMP Time Exceeded error messages as the packets expire on the way to the destination system.

The traceroute command uses UDP datagrams by default. We will discuss more details later.

Traceroute is the Linux/macOS version. Tracert is the Windows version.

Example of Traceroute

We can run the following command to trace the path to ip


This is the output of this command.

traceroute to (, 30 hops max, 60 byte packets
1 ( 42.036 ms 42.003 ms ( 0.663 ms
2 ( 0.670 ms ( 0.690 ms ( 0.681 ms
3 ( 0.691 ms 0.777 ms ( 0.820 ms
4 ( 1.082 ms ( 1.228 ms ( 1.066 ms
5 ( 5.700 ms ( 1.134 ms ( 5.665 ms
6 ( 1.623 ms 1.497 ms ( 2.573 ms
7 ( 4.417 ms 4.516 ms 4.507 ms
8 ( 1.461 ms 1.423 ms 1.455 ms

From each line, there are three parts- hop number, ip address, RTT. If ICMP unreachables are disabled on an interface along the path, that hop would be shown as a *.

  • Hop Number – This is the first column and is simply the number of the hop along the route.
  • Domain/IP column – The last column has the IP address of the router.
  • RTT Columns – The next three columns display the round trip time (RTT) for your packet to reach that point and return to your computer. This is listed in milliseconds. There are three columns because the traceroute sends three separate signal packets. This is to display consistency, or a lack thereof, in the route.

Capture Traceroute Packets with tcpdump

We can use the following tcpdump command to capture all the packets we send and receive after we run traceroute command.

# tcpdump -i any icmp or \( udp and host\) -nnn

From the packets, we can see that this command use UDP protocol.

12:10:52.385871 IP > UDP, length 32
12:10:52.385909 IP > UDP, length 32
12:10:52.385926 IP > UDP, length 32
12:10:52.385940 IP > UDP, length 32
12:10:52.385956 IP > UDP, length 32
12:10:52.385971 IP > UDP,

The traceroute command attempts to trace the route an IP packet follows to an Internet host by launching UDP probe packets with a time-to-live. Looks like these message are same but actually they are not. They are with different ttl.

12:10:52.386585 IP > ICMP time exceeded in-transit, length 36
12:10:52.386607 IP > ICMP time exceeded in-transit, length 36
12:10:52.386642 IP > ICMP time exceeded in-transit, length 36
12:10:52.386648 IP > ICMP time exceeded in-transit, length 36

Listening for an ICMP TIME_EXCEEDED response from gateways along the way.Probes are started with a Max_ttl value of one hop, which is increased one hop at a time

12:10:52.388436 IP > ICMP udp port 33456 unreachable, length 36
12:10:52.388445 IP > ICMP udp port 33455 unreachable, length 36
12:10:52.388698 IP > ICMP udp port 33458 unreachable, length 36
12:10:52.388706 IP > ICMP udp port 33459 unreachable, length 36
12:10:52.388709 IP > ICMP udp port 33457 unreachable, length 36
12:10:52.388711 IP > ICMP udp port 33460 unreachable, length 36

The ICMP PORT_UNREACHABLE message indicates that the host has been located.

Different Approach of Traceroute

Most traceroute use UDP and a destination port from the 33434 to 33534 range for the probe packets by default. We can change it with with option.

Send packets of specified IP protocol. The currently supported protocols are: UDP , TCP , GRE and ICMP Other protocols may also be specified (either by name or by number)

Timeouts at Traceroute report

Timeouts at the end may occur for a number of reasons. Not all of them indicate an issue, however:

  • The target’s firewall may be blocking requests. The target is still most probably reachable with other TCP or UDP request, however. This should not affect normal connection.
  • The return path may have an issue from the destination point. This would mean the signal is still reaching, but just not getting the return signal back to our local client. This should not affect normal connection.
  • Possible connection problem at the target. This will affect the connection.

Share on facebook
Share on twitter
Share on linkedin
Liquid Web Managed Word Press