Traceroute is a powerful tool. Extremely useful when checking the path of a packet through the network. But how does it ACTUALLY work? What is REALLY going on?

Layer3 packets all have a TTL. A Time To Live. If a router receives a packet with a TTL of 1 (and the packet is addresses to a host not directly connected to this router) it will drop the packet. It will also then create an ICMP error packet and send it back to the original source of the packet to let it know that the address was unreachable this time.

If you ping another machine, the OS will generally create a TTL of 255 for sent packets, though it doesn’t HAVE to be 255.

Traceroute will force an ICMP error message so it can get more information from each hop in the path.

As an example, let’s run a quick traceroute to 4.2.2.1 and see what it gives us:

C:\Users\Darren>tracert 4.2.2.1

Tracing route to vnsc-pri.sys.gtei.net [4.2.2.1]
over a maximum of 30 hops:

  1   1 ms  <1 ms  <1 ms  DD-WRT [10.50.80.1]
  2   8 ms   9 ms   8 ms  10.3.280.1
  3   8 ms   9 ms  26 ms  walt-cam-1a-ge96.network.virginmedia.net [80.1.170.69]
  4  18 ms   7 ms   8 ms  popl-core-1a-ae2-0.network.virginmedia.net [195.182.175.229]
  5   8 ms   6 ms  16 ms  popl-bb-1a-as2-0.network.virginmedia.net [213.105.174.234]
  6  31 ms  15 ms  15 ms  195.50.91.69
  7  12 ms  13 ms  31 ms  ae-11-51.car1.London1.Level3.net [4.69.139.66]
  8  14 ms  16 ms  22 ms  vnsc-pri.sys.gtei.net [4.2.2.1]

Trace complete.

I’ve loaded up Wireshark to tell me exactly what’s going on. The very first packet sent from my PC was sent with a destination IP of 4.2.2.1 – but with a TTL of only 1.

When my router (10.50.80.1) received that packet, it noticed that the TTL was 1, but also that 4.2.2.1 was not directly connected to it. It responded to my PC with an ICMP code 11 – Time-to-live exceeded. It also responded with it’s own source address.

Traceroute now knows that the very first hop to 4.2.2.1 happens to be my local router. It also knows that the routers IP is 10.50.80.1 – It send 3 ECHO reply requests with a TTL of 1. This is the reason you see the 3 values in the traceroute output

It doesn’t stop there though. As soon as traceroute knows that 10.50.80.1 is the first hop, it’ll ask 10.50.80.1 what it’s hostname is via a DNS PTR request. The router will respond to my PC with a DNS PTR response letting it know the hostname. Now traceroute knows what the IP address and hostname is for the first hop. Note that not ALL devices on the internet will respond with a PTR record and so you won’t ALWAYS get a hostname.

Traceroute will now start again and send 3 more packets with a TTL of 2. Exactly the same will happen as above, but for the second hop in the path. This will continue to happen until we eventually get to the host, or we run into the maximum hop count.

When we finally get ICMP echo replies from 4.2.2.1 – traceroute knows it’s job is complete.

btw, traceroute attempts to get PTR records from the devices in the path only when it gets a TTL time exceeded reply. The actual host you are trying to get to is different though. As soon as I ran traceroute 4.2.2.1 it immediately tried to get the PTR record of 4.2.2.1 first. Once it had that it started with all of the above.