While most every network professional has learned how to use traceroute, many may not understand its true power...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
as one of the most vital network troubleshooting tools. Traceroute is a packet-tracking tool that is available for most operating systems. It's more powerful than many might assume. It can be used by network administrators to detect bogus routes or potential redirects of traffic. Attackers can use traceroute to enumerate a path and for firewall discovery.
Understanding how to use traceroute can help you identify the number of networks, hops, devices and locations between the source and the destination device. Traceroute works by using the time-to-live (TTL) field in the IP header. Each router that handles an IP packet will decrease the TTL value by one. If the TTL reaches a value of zero, the packet is discarded and a "time exceeded" Type 11 Internet Control Message Protocol (ICMP) message is created to inform the source of the failure. Linux traceroute makes use of the User Datagram Protocol. Windows uses ICMP, and the command is tracert.
Making traceroute work for you
As an example, let's say there are normally seven hops from your office in Houston to the New York office; however, one day, users start complaining of extremely slow traffic. So, when you perform a traceroute, you determine that the hop count is now 14 and your packets are going to New York via China, which may indicate some type of issue. Your packets are taking a different route than usual; this may be a legitimate problem, or an attacker may have manipulated the Border Gateway Protocol routing standard and is potentially redirecting your traffic. Let's look at an example of a simple Windows traceroute, starting with the third hop that is targeting www.example.com.
Tracing route to www.example.com [126.96.36.199]
over a maximum of 30 hops:
3 14 ms 15 ms 16 ms cr.den.twtelecom.net [188.8.131.52]
4 18 ms 19 ms 29 ms dllstxrnds1 [184.108.40.206]
5 18 ms 17 ms 17 ms ae-2-52.dllstx04.us.bb.gin.ntt.net [220.127.116.11]
6 44 ms 18 ms 17 ms ae-0.edgecast.dllstx04.us.bb.gin.ntt.net [18.104.22.168]
7 18 ms 17 ms 114 ms 22.214.171.124
Each numbered line in the preceding traceroute example represents one hop. By default, traceroute goes up to 30 hops; however, that can be adjusted with the -h option. Traceroute uses a default destination port that starts at 33434. Windows tracert sends a series of three probes per hop. Upon reaching the first router (my firewall), the packet TTL value is decremented to 0, which elicits a "time exceeded" Type 11 error message. This message is returned to the sender to indicate that the packet did not reach the remote host. Next, Windows increases the TTL to a value of 2. This process continues until we reach the destination shown in line 7. Because this is the final hop, the destination issue is either a normal ICMP ping response (if Windows is used) or an ICMP Type 3 destination unreachable message (if Linux is used) for traceroute.
How to use traceroute to determine the physical location of routers
What else can we discern from understanding traceroute and its role as one of the most versatile network troubleshooting tools? The physical location of the routers the packets are passing through. The two most widely used location identifiers are International Air Transport Association (IATA) codes and Common Language Location Identifier (CLLI) codes, a standardized method that pinpoints the physical locations of significant hardware at telco and carrier switching facilities. You will easily recognize IATA codes if you've ever flown. Line 3 displays DEN, which is the IATA code for Denver. An example of a CLLI code appears in line 4 of the traceroute. It indicates a location of Dallas.
4 18 ms 19 ms 29 ms dllstxrnds1 [126.96.36.199]
This particular hop indicates the following: dlls = Dallas, tx = Texas, rn = an office in Richardson and ds1 = the second digital telephone switch at the Richardson location.
One final piece of information you may be able to determine from a traceroute is the type of device and port your connection is passing through. For example, line 5 of the traceroute provides the following information:
The naming format ae-#-# is most likely a Juniper device, Ethernet bundle in slot 2, port 52.
Hopefully, these examples demonstrate some of the useful information that can be gleaned from a simple traceroute. Not everyone follows an exact naming convention, but with a little work, you can start to pick out many pieces of useful information. Such information can be useful to a network defender as well as attackers attempting to enumerate your infrastructure.
Troubleshooting remote connection issues
The art and science of solving problems