Traceroute: How to See the Path a Packet Takes Across the Internet

Why you need it

When your ping to a site is slow, where is the bottleneck? Somewhere on your home network, at your ISP, on a backbone link, or at the remote data center? Without traceroute you are guessing blind. With it, you see every router along the path and the round-trip time at each hop.

How it works (the TTL trick)

Every IP packet carries a TTL (Time To Live) field, a hop counter. Each router decrements TTL by 1; if it reaches 0, the router drops the packet and sends the originator an icmp type 11 (time exceeded) message.

Traceroute exploits this:

It sends a packet with TTL=1. The first router decrements to 0, drops the packet, and sends ICMP time-exceeded. You now have the address of the first router.
It sends a packet with TTL=2. The first router decrements to 1 and forwards it. The second router decrements to 0, drops it, and sends ICMP. You now have the second router.
This continues, incrementing TTL until you receive a reply from the destination host itself.

Each step is repeated three times by default so you can see the variance in latency.

Implementations differ

Linux traceroute sends UDP to a high, unpopulated port by default. Use -T for TCP and -I for ICMP.
Windows tracert sends ICMP echo-request packets (like ping).
macOS uses UDP by default (same as Linux).

This matters because firewalls may pass ICMP while dropping UDP. In that case traceroute shows asterisks even though ping works. Try traceroute -I (ICMP mode) or tcptraceroute (uses TCP to an open port).

Reading the output

$ traceroute google.com

 1  192.168.1.1  0.5 ms     ← home router

 2  10.10.0.1    5.2 ms     ← ISP gateway

 3  *  *  *                 ← drops or hides ICMP

 4  72.14.234.1  12.5 ms    ← backbone

 5  142.250.46.225  15.0 ms ← google

* * * at a hop means the router does not reply to ICMP (often a security policy). It does not mean the path is broken.
A sharp latency jump between two adjacent hops points to the bottleneck there.
Uneven latency within one hop (e.g., 1 ms, 100 ms, 1 ms) usually means the router rate-limits ICMP replies, not actual path latency.

mtr: better than traceroute

MTR combines traceroute and ping. It probes every hop continuously and shows packet loss percentage and latency stability. It is indispensable for debugging intermittent slowdowns.

bash

mtr google.com           # interactive, updates in real time

mtr -rwc 100 google.com  # 100 probes, report mode, suitable for logs

§ команды

bash

traceroute google.com

UDP traceroute (Linux default)

bash

traceroute -I google.com

ICMP mode; use this when UDP is blocked by a firewall

bash

traceroute -T -p 443 google.com

TCP to port 443; use this when ICMP is blocked but the port is open

bash

mtr google.com

Interactive traceroute with real-time loss monitoring

bash

tracepath google.com

No-root alternative that also reports the path MTU

How it works (the TTL trick)

Traceroute exploits this:

It sends a packet with TTL=1. The first router decrements to 0, drops the packet, and sends ICMP time-exceeded. You now have the address of the first router.

It sends a packet with TTL=2. The first router decrements to 1 and forwards it. The second router decrements to 0, drops it, and sends ICMP. You now have the second router.

This continues, incrementing TTL until you receive a reply from the destination host itself.

Each step is repeated three times by default so you can see the variance in latency.

Implementations differ

Linux traceroute sends UDP to a high, unpopulated port by default. Use -T for TCP and -I for ICMP.

Windows tracert sends ICMP echo-request packets (like ping).

macOS uses UDP by default (same as Linux).

Reading the output

$ traceroute google.com

 1  192.168.1.1  0.5 ms     ← home router

 2  10.10.0.1    5.2 ms     ← ISP gateway

 3  *  *  *                 ← drops or hides ICMP

 4  72.14.234.1  12.5 ms    ← backbone

 5  142.250.46.225  15.0 ms ← google

* * * at a hop means the router does not reply to ICMP (often a security policy). It does not mean the path is broken.

A sharp latency jump between two adjacent hops points to the bottleneck there.

Uneven latency within one hop (e.g., 1 ms, 100 ms, 1 ms) usually means the router rate-limits ICMP replies, not actual path latency.

mtr: better than traceroute

MTR combines traceroute and ping. It probes every hop continuously and shows packet loss percentage and latency stability. It is indispensable for debugging intermittent slowdowns.

bash

mtr google.com           # interactive, updates in real time

mtr -rwc 100 google.com  # 100 probes, report mode, suitable for logs

§ команды

bash

traceroute google.com

UDP traceroute (Linux default)

bash

traceroute -I google.com

ICMP mode; use this when UDP is blocked by a firewall

bash

traceroute -T -p 443 google.com

TCP to port 443; use this when ICMP is blocked but the port is open

bash

mtr google.com

Interactive traceroute with real-time loss monitoring

bash

tracepath google.com

No-root alternative that also reports the path MTU

Traceroute: How to See the Path a Packet Takes Across the Internet

Why you need it

How it works (the TTL trick)

Implementations differ

Reading the output

mtr: better than traceroute

§ команды

§ см. также

Traceroute: How to See the Path a Packet Takes Across the Internet

Why you need it

How it works (the TTL trick)

Implementations differ

Reading the output

mtr: better than traceroute

§ команды

§ см. также