Skip to main content
Explainer · diagnostics

How traceroute works

Traceroute looks like magic until you see the trick. Once you understand what it is actually doing — and what it is not doing — you can read its output in five seconds and diagnose most network problems faster than any other tool gives you a chance to.

The trick: how a 40-year-old IP feature became a diagnostic tool

Traceroute, invented by Van Jacobson in 1987, isn't a special protocol — it's a clever re-use of a field that's existed in every IP packet since IPv4 was standardized in 1981. That field is the Time-To-Live, or TTL (in IPv6 it's renamed Hop Limit but works identically). See the TTL glossary entry for the deeper background.

Every IP packet leaves your machine with a TTL of typically 64 (Linux/macOS) or 128 (Windows). Each router along the path decrements the TTL by one before forwarding. If a router decrements TTL to zero, it drops the packet and — by RFC 792 — sends back an ICMP "Time Exceeded" message to the original source, identifying itself.

The TTL field was originally a loop-prevention mechanism: a packet that got stuck in a routing loop would eventually expire instead of circulating forever. Traceroute turns this safety feature into a probe by setting TTL artificially low on purpose.

The traceroute algorithm, step by step

  1. Send a probe packet to the destination with TTL = 1. The very first router on your path decrements TTL to zero, drops the packet, and replies with ICMP Time Exceeded. The reply's source IP is the router's IP. You just learned hop 1.
  2. Send another probe with TTL = 2. Router 1 decrements to 1 and forwards; router 2 decrements to 0, drops, and replies. You just learned hop 2.
  3. Continue incrementing TTL until you reach a TTL where the packet actually arrives at the destination. The destination doesn't generate Time Exceeded; instead it replies normally (or replies with ICMP Port Unreachable, depending on what kind of probe you sent). That tells you the final hop count.

Most traceroute implementations send three probes at each TTL by default, which is why you see three latency columns in the output. The latencies are usually similar — small jitter is normal. Wild variation suggests congestion or that the three probes took different paths (which happens often with load-balanced routers).

The three flavors: ICMP, UDP, TCP

The protocol used for the probes themselves differs by implementation, and the choice matters because firewalls and rate-limiters treat them differently.

Why some hops show stars

A row of * * * means: no reply within the timeout. There are several common reasons, in rough order of frequency:

Reading the latency column like an engineer

The latency at hop N is the round-trip time from you to that router. The number is mostly useful for comparing one hop to the next, not in absolute terms.

A typical residential-to-cloud trace might look like this:

1  192.168.1.1     0.4 ms
2  10.10.10.1      8 ms     ← cable headend / ISP CMTS
3  ge-0-2-0.ny.    12 ms    ← ISP regional aggregation
4  ae-3.r01.lhr.   85 ms    ← undersea cable to London
5  ae-2.r05.lhr.   86 ms    ← peering exchange
6  104.16.x.x     86 ms    ← destination

The big jump at hop 4 (12 ms → 85 ms) is the transatlantic cable. Every subsequent hop inherits that 85 ms baseline. The destination's own latency is what matters — 86 ms, 1 ms slower than the cable's RTT, which makes sense for a London POP after the cable lands.

A common misreading: panicking at high latency on an intermediate hop where the router is deprioritizing your probe replies. The router might take 200 ms to respond but forward your real packets in 5 ms. Look at where the end-to-end latency settles, not at any single middle hop.

What hostnames in traceroute tell you

Routers in the middle of the internet usually have descriptive reverse DNS names — and you can read a surprising amount of information from them. Common patterns:

For any IP that catches your eye, the WHOIS / RDAP tool will give you the registrant, ASN, and abuse contact in one query.

Online traceroute vs. running it yourself

Most "online traceroute" tools run from a single datacenter and show you the path from their location, not yours. That's useful for confirming a destination is reachable from somewhere, but it tells you nothing about your local network path — which is usually where the actual problem lives.

For broader perspective, use a looking glass at a major Tier-1 ISP: Cogent, NTT, Hurricane Electric, and Telia all run public looking glasses that let you traceroute from their networks. For a problem you're actually experiencing, your own terminal running mtr from where you sit is always the better diagnostic.

Related reading