UDP vs ICMP vs TCP Traceroute: When to Use Each Protocol

Why the Protocol Matters

When you run a traceroute, the tool needs to send probe packets into the network and rely on routers to send back error messages. But not all routers treat all packet types equally. Firewalls, rate limiters, and security policies may block certain protocols while allowing others. Choosing the right protocol can mean the difference between a complete trace and a wall of * * * timeouts.

The three protocols available in most traceroute implementations are UDP, ICMP, and TCP. Each has distinct advantages depending on your network environment.

UDP Traceroute

How It Works

UDP traceroute sends UDP datagrams to incrementally higher port numbers, starting at port 33434 by default. Each probe has an increasing TTL value. When the TTL expires at an intermediate router, the router sends back an ICMP Time Exceeded message. When the probe reaches the destination, the destination responds with an ICMP Port Unreachable message (because no service is listening on that port), signaling the end of the trace.

Pros and Cons

• Default on Linux and macOS — no special flags needed.
• Does not require root/admin privileges on most systems (UDP sockets are unprivileged).
• Blocked by many firewalls — enterprise networks and cloud providers often restrict outbound UDP to unknown ports.
• Port-based filtering can cause inconsistent results when different firewalls along the path have different rules.

Best For

General-purpose diagnostics on Linux/macOS when you have a relatively open network path. Works well for tracing to servers you control or to major internet infrastructure.

ICMP Traceroute

How It Works

ICMP traceroute sends ICMP Echo Request packets (the same type used by ping) with increasing TTL values. Intermediate routers return ICMP Time Exceeded messages as usual. When the packet reaches the destination, it replies with an ICMP Echo Reply — the same response you get from ping.

Pros and Cons

• Default on Windows (tracert uses ICMP).
• Universally understood — almost every router can generate ICMP Time Exceeded.
• Often rate-limited — many routers deprioritize ICMP processing, leading to artificially inflated RTT values or dropped responses.
• Requires root/admin on Linux — raw sockets are needed to craft ICMP packets.
• Blocked in some security-hardened environments — some networks drop all ICMP at the perimeter.

Best For

Quick tests from Windows machines, or when UDP traceroute returns too many timeouts. Also useful when you specifically want to test ICMP reachability (e.g., verifying that ping will work end-to-end).

TCP Traceroute

How It Works

TCP traceroute sends TCP SYN packets (the first step of the TCP three-way handshake) to a specific port — usually port 80 (HTTP) or port 443 (HTTPS). Intermediate routers still return ICMP Time Exceeded for expired TTLs. When the SYN reaches the destination, it responds with either a SYN/ACK (port open) or a RST (port closed), completing the trace.

Pros and Cons

• Penetrates most firewalls — ports 80 and 443 are almost universally allowed through firewalls, NATs, and security groups.
• Best for tracing to web servers — the probe looks like a normal web connection attempt.
• Requires root/admin — crafting raw TCP SYN packets requires elevated privileges.
• May trigger IDS/IPS alerts — rapid SYN packets to the same port can look like a SYN scan.

Best For

Corporate networks, cloud environments (AWS, GCP, Azure), and any situation where UDP and ICMP are being filtered. If you are troubleshooting connectivity to a web application and other modes return incomplete results, TCP mode is your best bet.

Comparison Table

Feature	UDP	ICMP	TCP
Default OS	Linux, macOS	Windows	None (explicit flag)
Requires root/admin	No	Yes (Linux)	Yes
Firewall penetration	Low	Medium	High
Destination port	33434+	N/A	80 or 443
End-of-trace signal	ICMP Port Unreachable	ICMP Echo Reply	SYN/ACK or RST
Rate limiting risk	Low	High	Low
CLI flag	-U (default)	-I	-T

Real-World Scenarios

Corporate Office Behind a Strict Firewall

Your company firewall blocks all outbound UDP except DNS (port 53) and all ICMP except ping to the gateway. Use TCP mode on port 443. The SYN packets look like HTTPS connection attempts and pass through cleanly.

ISP Debugging for Gaming Latency

You want to trace the path to a game server. Start with UDP (the default). If you see timeouts mid-path, switch to ICMP. Game servers often run on non-standard ports, so TCP to port 80 may not reach the actual game server — but it will still reveal the network path and latency to the host.

Cloud Infrastructure (AWS, GCP)

Cloud security groups typically block inbound UDP on high ports and may filter ICMP. Use TCP on port 443 to trace through VPCs, load balancers, and NAT gateways reliably.

Residential ISP Troubleshooting

ICMP usually works fine from home connections. It is the simplest to interpret since both intermediate and final responses use ICMP. If your ISP rate-limits ICMP, you will see inflated latency at their hops — switch to UDP to get more accurate RTT measurements.

Practical Recommendations

1. Start with the default (UDP on Linux/macOS, ICMP on Windows).
2. If you see many timeouts, switch to TCP mode targeting port 443.
3. Run the trace with multiple protocols and compare — differences reveal where filtering is happening.
4. Document the protocol used when sharing results with your ISP or hosting provider, as results vary by protocol.

Try All Three Protocols with TraceMapper

TraceMapper lets you switch between UDP, ICMP, and TCP with a single click — no command-line knowledge required. Results are plotted on an interactive map with ASN information, latency color coding, and multi-source tracing from different geographic locations.

Run a free traceroute now and see how different protocols produce different results for your target. For more network diagnostic tools, explore our Ping, DNS Lookup, and Port Check tools.