Skip to content
Back to blog
Published on March 20, 20266 min read

How Traceroute Works: A Complete Guide

Learn how traceroute discovers the network path hop by hop. Understand TTL, ICMP, and how to interpret results.

traceroutenetworkingguide

What Is Traceroute?

Traceroute is a network diagnostic tool that reveals the path packets take from your device to a destination host. Unlike ping, which only tells you whether a host is reachable and how long the round trip takes, traceroute shows you every intermediate router (hop) along the way — along with the latency at each step.

System administrators, network engineers, and DevOps teams rely on traceroute daily to pinpoint where packets are being delayed, dropped, or rerouted. Understanding how it works under the hood makes you far more effective at diagnosing connectivity problems.

How TTL (Time to Live) Makes It All Work

Traceroute exploits a fundamental mechanism in the Internet Protocol: the TTL (Time to Live) field in the IP header. Every IP packet carries a TTL value — a counter that decrements by one each time the packet passes through a router. When the TTL reaches zero, the router discards the packet and sends back an ICMP Time Exceeded message to the original sender.

Here is the step-by-step process:

  1. Send a packet with TTL=1. The first router receives it, decrements TTL to 0, drops the packet, and sends back an ICMP Time Exceeded message. You now know the IP address and latency of hop 1.
  2. Send a packet with TTL=2. It passes through the first router (TTL becomes 1), reaches the second router (TTL becomes 0), which sends back an ICMP Time Exceeded. You now know hop 2.
  3. Repeat with increasing TTL values until the packet reaches the destination. The destination host responds differently — with an ICMP Echo Reply (for ICMP mode) or an ICMP Port Unreachable (for UDP mode) — signaling that the trace is complete.

Typically, traceroute sends three probes per hop to measure latency variability. This is why you see three RTT (Round Trip Time) values per line in the output.

Reading Traceroute Output

A typical traceroute result contains several columns of information:

  • Hop number — The position in the path (1 is your gateway, the last is the destination).
  • IP address / Hostname — The router's address. Reverse DNS may resolve it to a hostname like ae-5.r24.amstnl02.nl.bb.gin.ntt.net, which often reveals the ISP, city, and router role.
  • RTT (Round Trip Time) — Usually three values in milliseconds. Lower is better. Large jumps between consecutive hops indicate a bottleneck.
  • ASN (Autonomous System Number) — Identifies which network operates the router. Useful for spotting where traffic crosses between ISPs.
  • Packet loss — The percentage of probes that received no response. Some loss at intermediate hops is normal (routers deprioritize ICMP), but loss at the final hop indicates a real problem.

Traceroute vs MTR: What Is the Difference?

traceroute runs once and gives you a snapshot. mtr (My Traceroute) combines traceroute and ping into a single tool that continuously probes the path and updates statistics in real time.

Key differences:

  • Continuous monitoring: mtr keeps sending probes, so you can observe intermittent issues that a single traceroute might miss.
  • Statistical accuracy: After hundreds of probes, mtr gives you reliable average, best, worst, and standard deviation values for each hop.
  • Packet loss detection: Brief packet loss spikes are visible in mtr but invisible in a one-shot traceroute.

Use traceroute for quick checks. Use mtr when you need to build a case with statistically significant data — for example, when filing a complaint with your ISP.

ICMP vs UDP vs TCP: Choosing a Protocol

Traceroute can use different protocols to send its probe packets, each with trade-offs:

  • UDP (default on Linux/macOS): Sends UDP datagrams to high-numbered ports (33434+). Works well in most environments but can be blocked by firewalls.
  • ICMP (default on Windows): Sends ICMP Echo Request packets — the same ones ping uses. Some routers rate-limit or drop ICMP, producing false timeouts.
  • TCP: Sends TCP SYN packets, usually to port 80 or 443. Excellent for traversing firewalls that block UDP and ICMP but allow web traffic.

If you see too many * * * (timeout) lines, try switching protocols. For a detailed comparison, see our guide on UDP vs ICMP vs TCP Traceroute.

Common Issues and How to Interpret Them

Timeouts (* * *)

A row of asterisks means the router did not send back an ICMP Time Exceeded message within the timeout window. This does not necessarily mean the router is down — many routers are configured to silently discard expired packets. If subsequent hops respond normally, the timeout is harmless.

Latency Spikes at a Single Hop

A sudden jump in RTT at one hop — say from 15 ms to 120 ms — suggests congestion or a long physical link (e.g., a transatlantic cable). Check whether the latency stays high for all subsequent hops. If it does, the bottleneck is real. If later hops return to normal, the router was simply slow at generating ICMP responses (control plane deprioritization).

Asymmetric Routing

Traceroute only shows the forward path. The return path may be different. This can cause confusing results where latency appears to decrease between hops — the ICMP reply is simply taking a shorter route back.

Loops

If you see the same IP address appearing at multiple consecutive hops, there is a routing loop. This usually resolves itself within minutes as routers converge, but persistent loops indicate a misconfiguration.

Practical Examples

Here are common real-world scenarios where traceroute proves invaluable:

  • Diagnosing slow website loading: Run a traceroute to the server and look for high-latency hops. If the latency spike occurs at your ISP's edge, contact them. If it occurs at the destination's network, the problem is on their end.
  • Verifying CDN routing: Traceroute to a CDN-fronted domain to confirm traffic is going to the nearest edge node rather than crossing continents.
  • Debugging VPN connectivity: Compare traceroutes with and without VPN to see if the tunnel is adding excessive latency or routing through unexpected locations.
  • Gaming lag investigation: Identify the exact hop causing jitter so you can report it to your ISP with evidence.

Visualize Your Traceroutes with TraceMapper

Command-line traceroute is powerful, but interpreting raw text output can be tedious. TraceMapper runs traceroutes from multiple global locations and plots every hop on an interactive map — complete with latency color coding, ASN information, and geolocation data. You can switch between ICMP, UDP, and TCP protocols with a single click.

Try a free traceroute now, or explore our other network diagnostic tools: Ping, DNS Lookup, and HTTP Check.