Traceroute is one of those tools that feels like magic until you understand the trick. It maps every router (hop) between you and a destination by abusing the IP Time-To-Live field — see the TTL glossary.
The trick
Every IP packet carries a TTL field. Each router along the path decrements it by one before forwarding. When TTL hits zero, the router drops the packet and sends back an ICMP "Time Exceeded" message — including its own IP.
Traceroute exploits this:
- Send a packet with
TTL=1. The first hop drops it, sends back ICMP Time Exceeded with its IP. We just learned hop 1. - Send a packet with
TTL=2. The first hop decrements to 1, forwards. The second hop decrements to 0, drops, replies. We now know hop 2. - Continue until you reach the destination (TTL = N, where N is hop count). The destination responds with whatever the probe asked for instead of Time Exceeded.
Each row of traceroute output is a different TTL. The three latency columns are three probe packets at that TTL — small variation is normal, huge variation suggests congestion.
ICMP vs UDP vs TCP variants
- Classic UNIX traceroute — sends UDP packets to a high random port. Routers reply ICMP Time Exceeded; the destination replies ICMP Port Unreachable. Many ISPs / firewalls drop high UDP, so you see stars.
- Windows tracert — uses ICMP Echo Request (the same packet ping uses). Most networks let it through.
- TCP traceroute (
tcptraceroute) — sends TCP SYN to a specific port (usually 80 or 443). Routers reply ICMP, destination replies SYN+ACK. Best for getting through firewalls that block UDP and ICMP but allow web traffic. - MTR (My Traceroute) — runs traceroute continuously, building a stable per-hop loss/latency picture. The right tool for "is this network problem upstream of me?"
Why some hops show stars
Stars (* * *) mean: no reply within the timeout. Common causes:
- Router rate-limits ICMP. Many backbone routers cap "Time Exceeded" generation to a few per second to prevent abuse. Probes that exceed the cap drop silently.
- Firewall blocks the probe. Some networks let traffic through but discard probes designed to map them.
- Asymmetric routing. The forward path and the return path differ. The ICMP reply might take a different route home and arrive too late to match the probe.
- Anycast. 1.1.1.1, 8.8.8.8, root DNS servers all use anycast — different packets can reach different physical servers. Hops can look weird if probes drift across replicas.
Reading the latency
The big increase at hop N usually corresponds to a long-distance link — undersea cable, cross-continent transit. Hops after the big jump are downstream of that long link, so they inherit its latency. What matters is the incremental latency between adjacent hops, not the absolute number for each.
A common gotcha: high latency on intermediate hops where the router is prioritising data traffic over its own control-plane responses. The end-to-end ping might still be fast. Don't panic from a 200ms middle hop if the destination responds in 50ms.
Web tools
Most "online traceroute" tools run from a single datacenter, which only tells you the path from their location. Looking glasses at major Tier-1 ISPs let you traceroute from different vantage points. For your own traffic, your own terminal beats any web tool — install mtr and use it from where you actually sit.