Get started Bring yourself up to speed with our introductory content.

How to use traceroute to troubleshoot network problems

Traceroute is a tool that can provide more insight than you might think. Learn how to use traceroute to troubleshoot network issues.

While most every network professional has learned how to use traceroute, many may not understand its true power...

as one of the most vital network troubleshooting tools. Traceroute is a packet-tracking tool that is available for most operating systems. It's more powerful than many might assume. It can be used by network administrators to detect bogus routes or potential redirects of traffic. Attackers can use traceroute to enumerate a path and for firewall discovery.

Understanding how to use traceroute can help you identify the number of networks, hops, devices and locations between the source and the destination device. Traceroute works by using the time-to-live (TTL) field in the IP header. Each router that handles an IP packet will decrease the TTL value by one. If the TTL reaches a value of zero, the packet is discarded and a "time exceeded" Type 11 Internet Control Message Protocol (ICMP) message is created to inform the source of the failure. Linux traceroute makes use of the User Datagram Protocol. Windows uses ICMP, and the command is tracert.

Making traceroute work for you

As an example, let's say there are normally seven hops from your office in Houston to the New York office; however, one day, users start complaining of extremely slow traffic. So, when you perform a traceroute, you determine that the hop count is now 14 and your packets are going to New York via China, which may indicate some type of issue. Your packets are taking a different route than usual; this may be a legitimate problem, or an attacker may have manipulated the Border Gateway Protocol routing standard and is potentially redirecting your traffic. Let's look at an example of a simple Windows traceroute, starting with the third hop that is targeting www.example.com.

C:\Users\user>tracert www.example.com

Tracing route to www.example.com [93.184.216.34]

over a maximum of 30 hops:

  3    14 ms    15 ms    16 ms  cr.den.twtelecom.net [64.129.248.110]

  4    18 ms    19 ms    29 ms  dllstxrnds1 [12.122.85.233]

  5    18 ms    17 ms    17 ms  ae-2-52.dllstx04.us.bb.gin.ntt.net [129.250.8.237]

  6    44 ms    18 ms    17 ms  ae-0.edgecast.dllstx04.us.bb.gin.ntt.net [129.250.196.130]

  7    18 ms    17 ms   114 ms  93.184.216.34

Trace complete.

Each numbered line in the preceding traceroute example represents one hop. By default, traceroute goes up to 30 hops; however, that can be adjusted with the -h option. Traceroute uses a default destination port that starts at 33434. Windows tracert sends a series of three probes per hop. Upon reaching the first router (my firewall), the packet TTL value is decremented to 0, which elicits a "time exceeded" Type 11 error message. This message is returned to the sender to indicate that the packet did not reach the remote host. Next, Windows increases the TTL to a value of 2. This process continues until we reach the destination shown in line 7. Because this is the final hop, the destination issue is either a normal ICMP ping response (if Windows is used) or an ICMP Type 3 destination unreachable message (if Linux is used) for traceroute.

How to use traceroute to determine the physical location of routers

What else can we discern from understanding traceroute and its role as one of the most versatile network troubleshooting tools? The physical location of the routers the packets are passing through. The two most widely used location identifiers are International Air Transport Association (IATA) codes and Common Language Location Identifier (CLLI) codes, a standardized method that pinpoints the physical locations of significant hardware at telco and carrier switching facilities. You will easily recognize IATA codes if you've ever flown. Line 3 displays DEN, which is the IATA code for Denver. An example of a CLLI code appears in line 4 of the traceroute. It indicates a location of Dallas.

identify

4    18 ms    19 ms    29 ms  dllstxrnds1 [12.122.85.233]

This particular hop indicates the following: dlls = Dallas, tx = Texas, rn = an office in Richardson and ds1 = the second digital telephone switch at the Richardson location.

One final piece of information you may be able to determine from a traceroute is the type of device and port your connection is passing through. For example, line 5 of the traceroute provides the following information:

ae-2-52.dllstx04.us.bb.gin.ntt.net

The naming format ae-#-# is most likely a Juniper device, Ethernet bundle in slot 2, port 52.

Hopefully, these examples demonstrate some of the useful information that can be gleaned from a simple traceroute. Not everyone follows an exact naming convention, but with a little work, you can start to pick out many pieces of useful information. Such information can be useful to a network defender as well as attackers attempting to enumerate your infrastructure.

Next Steps

Troubleshooting remote connection issues

The art and science of solving problems

This was last published in July 2015

Dig Deeper on Network Security Monitoring and Analysis

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have you used traceroute to pinpoint performance issues?
Cancel
yes I use nslookup, ping and tracert when i experience slow browsing and/or website not found problem.
Cancel

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close