Traceroute can be used to determine which path IP packets are taking to get from your computer to a remote computer. Traceroute was designed to reveal when network failures such as routing loops and black holes occur and shows roughly where those failures exist.
If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an Internet Control Message Protocol (ICMP) Time-Exceeded message to the sender. Traceroute determines the IP address of the first hop by examining the source address field of that ICMP Time-Exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the Time-Exceeded message to the source. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached or the destination host replies with an ICMP Echo Reply.
tracerton a Windows computer creating 3 ICMP echo (ICMP type '8') messages with the time to live (TTL) in the IP Header set to 1 and addresses the packets set to the destination computer's IP address (called fool).
11) responses. These messages indicate that the traceroute messages have not yet reached the destination.
On *nix, in the Van Jacobson modification of using an UDP port number and relying on port unreachable errors to signify the end of the traceroute, only the outbound packets are sent to UDP ports starting with 33434. The returning packets are ICMP and the UDP port number on the outbound packet usually increments upwards from UDP 33434 to match the TTL set in the IP Header. This is why some firewalls block UNIX/Linux/BSD traceroute but let Windows traceroute through.
Other deficiencies have been discovered as well. How and how much traceroute confuses our understanding of network paths? The paris traceroute is an alternative.
The usual version is still useful for reconnaissance, since we are mostly interested in the last part of the route, and as with ping, when doing reconnaissance in stealth mode, best use a proxy like for example centralops to not wake any sleeping dogs.