Blogs

Traceroute

The traceroute command is a network diagnostic tool used to track the pathway a packet takes from a source host to a destination host.

It does this by sending packets with increasing Time-to-Live (TTL) values. Each router, along the path decrements the TTL by one. When the TTL reaches zero, the router sends an ICMP "Time Exceeded" message back to the source.
The traceroute command records the hop's IP address and the round-trip time (RTT) from this message, thereby mapping the route.

The syntax for traceroute is straightforward:
The host can be a domain name or an IP address. You can customise the behaviour of traceroute by using various options.

traceroute [options] {host}

Key traceroute Options

Here are some of the most useful traceroute commands on Linux, with explanations and examples.

Standard Traceroute

Standard Traceroute by default, traceroute uses UDP packets. This is the most common and basic form of the command.

traceroute google.com
traceroute to google.com (142.251.46.206), 30 hops max, 60 byte packets
                                               <<--snip-->>
 7  be-398-ar01.hayward.ca.sfba.comcast.net (162.151.87.225)  25.281 ms  25.220 ms *
 8  * * *
 9  142.251.228.82 (142.251.228.82)  24.790 ms 142.251.224.188 (142.251.224.188)  24.923 ms *
10  142.251.65.136 (142.251.65.136)  24.219 ms  24.187 ms 142.251.228.229 (142.251.228.229)  24.154 ms
11  nuq04s45-in-f14.1e100.net (142.251.46.206)  23.971 ms 172.253.64.169 (172.253.64.169)  24.668 ms nuq04s45-in-f14.1e100.net (142.251.46.206)  23.369 ms

Explanation: Each numbered line represents a hop. The IP address or hostname of the router is shown, followed by three RTT values in milliseconds. The three values represent the time taken for three separate probes sent to that hop. An asterisk (*) indicates that a probe timed out, meaning no response was received.

Disabling DNS Lookups

By default, traceroute attempts to resolve the IP addresses of each hop to a domain name. This can add to the command's execution time. The -n option prevents this.

traceroute -n google.com

Purpose: Runs a traceroute without resolving IP addresses to hostnames, resulting in faster output.

ICMP Traceroutes

Sometimes, network firewalls block the default UDP packets used by traceroute. To overcome this, you can specify different protocols. The -I or --icmp option forces traceroute to use ICMP ECHO packets. This is similar to how the ping command works and is often more successful at traversing networks with strict firewalls that might drop UDP packets.

sudo traceroute -I {dst_ip}

Explanation: Uses ICMP packets to trace the route. You often need sudo privileges for this command. The output looks similar to the standard traceroute, but the packets sent are of the ICMP protocol type.

TCP SYN Traceroutes

The -T or --tcp option uses TCP SYN packets. This is a powerful method for testing connectivity through firewalls, as most network firewalls allow TCP traffic on common ports like 80 (HTTP) or 443 (HTTPS).

sudo traceroute -T {dst_ip}

Purpose: Uses TCP SYN packets on the default port (80) to trace the route. This is particularly useful for debugging web server connectivity issues.
Explanation: This works by sending a TCP SYN packet and waiting for a SYN-ACK response from the destination. When a "time-exceeded" message is received from a router along the way, the RTT is calculated.

Specifying a Destination Port

Using the -p or --port option with a protocol-specific traceroute allows you to test connectivity to a specific service or application. For example, to check the path to an SSH server, you can specify port 22.

sudo traceroute -T -p 22 {dst_ip}

Purpose: Traces the route using TCP packets on port 22. This helps diagnose why an SSH connection might be failing.
Explanation: This is a more granular test, confirming whether the path is open for a specific type of traffic.

Specifying a Source Port

Using the -sport option to send traffic with a specific source port.

sudo traceroute -T -p 22 --sport=1000 {dst_ip}

Purpose: Traces the route using TCP packets on with the source port 1000.

Specifying a Source Interface and/or Source IP

Using the -s option to send traffic with a specific source IP. Using the -i option to send traffic from a specific interface.

sudo traceroute  -s {src_ip} {dst_ip}

Purpose: Traces the route using a specific IP.

sudo traceroute  -i {interface_name} {dst_ip}

Purpose: Traces the route using a specific IP.

Set the TOS

The -t {tos} --tos={tos} Set the TOS (IPv4 type of service) or TC (IPv6 traffic class) value for outgoing packets

sudo traceroute -t 32 {dst_ip}

Explanation: Set the TOS field to 32 (equivalent to DSCP value 8). This command typically requires sudo privileges and is useful if you have Policy-Based Routing (PBR) on your network. .

Number of probes per hop

Sometimes, you want to increase or decrease the number of probes you send for each hop if you have more than 3 redundancy or decrease it for a faster response.
-q nqueries --queries=nqueries Set the number of probes per each hop. Default is 3

sudo traceroute -q 5 {dst_ip}

Explanation: Sending 5 probs for each hop.

First TTL

Sometimes, you don't need to start from your first hope.
-f first_ttl --first=first_ttl Start from the first_ttl hop (instead from 1)

sudo traceroute -f 10 {dst_ip}

Explanation: Start the traceroute with ttl of 10, which means hop 10.

MAX TTL

Set the maximum number of hops you want.
-m max_ttl --max-hops=max_ttl Set the max number of hops (max TTL to be reached). Default is 30

sudo traceroute -m 10 {dst_ip}

Explanation: The traceroute command will send probes for the first 10 hop.

Packet length

If you need to change the packet size.

sudo traceroute {dst_ip} 1000

Explanation: changing the packet size to 1000. The 1000 is without the headers.

Do not fragment

If you need to test if there is fragmentation on the links. Usually used in combination with changing the packet length.

sudo traceroute -F {dst_ip}

Explanation: Sending the packet with the DF-bit set if there is fragmentation, the packets will be dropped.

TIMEOUT

-w MAX,HERE,NEAR --wait=MAX,HERE,NEAR The -w or --wait option in traceroute is used to adjust the waiting time for a response from a hop. This option allows for more intelligent and dynamic timeout settings, which can be particularly useful on slow or congested networks. The option takes three comma-separated values: MAX, HERE, and NEAR.
MAX
This is the maximum absolute timeout in seconds. It is the most straightforward of the three. If traceroute doesn't receive a response for a probe within this time, it gives up and prints an asterisk *. The default value for MAX is 5.0 seconds.
HERE
This value sets a relative timeout based on the current hop. It specifies that traceroute will wait no more than HERE times longer than the average response time of the same hop. The default value is 3.
Let's say the first two probes to a specific hop took 20ms each to get a response. The average response time is 20ms. The third probe will have a timeout of no more than 20ms * 3 = 60ms. This prevents traceroute from waiting a full 5 seconds (the MAX value) for a hop that is known to respond quickly.
NEAR
This value sets a relative timeout based on the next hop. It specifies that traceroute will wait no more than NEAR times longer than the average response time of the next hop. The default value is 10.
For example, if the previous hop's response time was 50ms, and the current hop's response time is 200ms, the next probe will have a timeout of 200ms * 10 = 2000ms, or 2 seconds. This is helpful for avoiding timeouts on slow hops that are followed by faster ones.

sudo traceroute -w1 {dst_ip}

Explanation: set the timeout to 1 sec

Set the number of probes

The -N or --sim-queries option in traceroute lets you control how many probes are sent at the same time. Instead of sending one probe for each hop and waiting for a response before sending the next, traceroute will send a batch of probes to different hops all at once. By default, this value is set to 16.

sudo traceroute -I -N 20 {dst_ip}

Explanation: Traceroute will be sending 20 probes

traceroute --help output



tony@tony-pc:~$ traceroute --help

Usage:

 traceroute [ -46dFITnreAUDV ] [ -f first_ttl ] [ -g gate,... ] [ -i device ] [ -m max_ttl ] [ -N squeries ] [ -p port ] [ -t tos ] [ -l flow_label ] [ -w MAX,HERE,NEAR ] [ -q nqueries ] [ -s src_addr ] [ -z sendwait ] [ --fwmark=num ] host [ packetlen ]

Options:

 -4             Use IPv4
 -6             Use IPv6
 -d --debug         Enable socket level debugging
 -F --dont-fragment     Do not fragment packets
 -f first_ttl --first=first_ttl
               Start from the first_ttl hop (instead from 1)
 -g gate,... --gateway=gate,...
               Route packets through the specified gateway
               (maximum 8 for IPv4 and 127 for IPv6)
 -I --icmp         Use ICMP ECHO for tracerouting
 -T --tcp          Use TCP SYN for tracerouting (default port is 80)
 -i device --interface=device
               Specify a network interface to operate with
 -m max_ttl --max-hops=max_ttl
               Set the max number of hops (max TTL to be
               reached). Default is 30
 -N squeries --sim-queries=squeries
               Set the number of probes to be tried
               simultaneously (default is 16)
 -n             Do not resolve IP addresses to their domain names
 -p port --port=port    Set the destination port to use. It is either
               initial udp port value for "default" method
               (incremented by each probe, default is 33434), or
               initial seq for "icmp" (incremented as well,
               default from 1), or some constant destination
               port for other methods (with default of 80 for
               "tcp", 53 for "udp", etc.)
 -t tos --tos=tos      Set the TOS (IPv4 type of service) or TC (IPv6
               traffic class) value for outgoing packets
 -l flow_label --flowlabel=flow_label
               Use specified flow_label for IPv6 packets
 -w MAX,HERE,NEAR --wait=MAX,HERE,NEAR
               Wait for a probe no more than HERE (default 3)
               times longer than a response from the same hop,
               or no more than NEAR (default 10) times than some
               next hop, or MAX (default 5.0) seconds (float
               point values allowed too)
 -q nqueries --queries=nqueries
               Set the number of probes per each hop. Default is
               3
 -r             Bypass the normal routing and send directly to a
               host on an attached network
 -s src_addr --source=src_addr
               Use source src_addr for outgoing packets
 -z sendwait --sendwait=sendwait
               Minimal time interval between probes (default 0).
               If the value is more than 10, then it specifies a
               number in milliseconds, else it is a number of
               seconds (float point values allowed too)
 -e --extensions      Show ICMP extensions (if present), including MPLS
 -A --as-path-lookups    Perform AS path lookups in routing registries and
               print results directly after the corresponding
               addresses
 -M name --module=name   Use specified module (either builtin or external)
               for traceroute operations. Most methods have
               their shortcuts (`-I' means `-M icmp' etc.)
 -O OPTS,... --options=OPTS,...
               Use module-specific option OPTS for the
               traceroute module. Several OPTS allowed,
               separated by comma. If OPTS is "help", print info
               about available options
 --sport=num         Use source port num for outgoing packets. Implies
               `-N 1'
 --fwmark=num        Set firewall mark for outgoing packets
 -U --udp          Use UDP to particular port for tracerouting
               (instead of increasing the port per each probe),
               default port is 53
 -UL             Use UDPLITE for tracerouting (default dest port
               is 53)
 -D --dccp         Use DCCP Request for tracerouting (default port
               is 33434)
 -P prot --protocol=prot  Use raw packet of protocol prot for tracerouting
 --mtu            Discover MTU along the path being traced. Implies
               `-F -N 1'
 --back           Guess the number of hops in the backward path and
               print if it differs
 -V --version        Print version info and exit
 --help           Read this help and exit

Arguments:
+   host     The host to traceroute to
   packetlen   The full packet length (default is the length of an IP
          header plus 40). Can be ignored or increased to a minimal
          allowed value