User Tools

Site Tools



traceroute is a network diagnostic tool originally written by Van Jacobson to determine whether routing problems exist on the network and adheres to rfc1393.

Mapping the internet: The Opte Project

Traceroute can be used to determine which path IP packets are taking to get from your computer to a remote computer. Traceroute was designed to reveal when network failures such as routing loops and black holes occur and shows roughly where those failures exist.

tracert on windows

If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an Internet Control Message Protocol (ICMP) Time-Exceeded message to the sender. Traceroute determines the IP address of the first hop by examining the source address field of that ICMP Time-Exceeded message.

To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the Time-Exceeded message to the source. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached or the destination host replies with an ICMP Echo Reply.

  1. Run tracert on a Windows computer creating 3 ICMP echo (ICMP type '8') messages with the time to live (TTL) in the IP Header set to 1 and addresses the packets set to the destination computer's IP address (called fool).
  2. Start a timer.
  3. Sends the three messages destined for the fool out to the network.
  4. Wait for a response. This response will be:
    1. An ICMP Time Exceeded message - this means the host responding is not the destination.
    2. An ICMP Destination Unreachable - this means the host responding doesn't know how to get to the destination IP address in the traceroute packets.
  5. The computer on which the messages die because the time to live expired (somewhere between you and the fool) sends back ICMP Time Exceeded (ICMP Type 11) responses. These messages indicate that the traceroute messages have not yet reached the destination.
  6. Note the times they arrived, compare that to the time the ICMP Echo Request was sent and show the results of that round trip on the screen.
  7. Increment the TTL in the IP Header by one, then repeat the previous six steps (create 3 packets, set the Time to Live to the next highest number, start a timer, transmit the packets, wait for a response). This process is repeated until the packets reach the fool we are tracing the route to.
  8. When the fool receives the packets, it sends back an ICMP Reply (ICMP type '0') and the traceroute program stops.

traceroute on linux

On *nix, in the Van Jacobson modification of using an UDP port number and relying on port unreachable errors to signify the end of the traceroute, only the outbound packets are sent to UDP ports starting with 33434. The returning packets are ICMP and the UDP port number on the outbound packet usually increments upwards from UDP 33434 to match the TTL set in the IP Header. This is why some firewalls block UNIX/Linux/BSD traceroute but let Windows traceroute through.


Other deficiencies have been discovered as well. How and how much traceroute confuses our understanding of network paths? The paris traceroute is an alternative.

The usual version is still useful for reconnaissance, since we are mostly interested in the last part of the route, and as with ping, when doing reconnaissance in stealth mode, best use a proxy like for example centralops to not wake any sleeping dogs.

en/hacking/recon/tools/traceroute.txt · Last modified: 2019/09/26 14:47 by Digital Dot