diagrams
Networking

Traceroute Process

Traceroute is a network diagnostic tool that discovers the sequence of routers (hops) between a source and destination by exploiting the IP TTL (Time to Live) field, sending probes with incrementing TTL values and collecting ICMP Time Exceeded responses from each hop.

diagram.mmd — sequence
Edit in Graphlet →
Traceroute Process sequence diagram
About Source

Traceroute is a network diagnostic tool that discovers the sequence of routers (hops) between a source and destination by exploiting the IP TTL (Time to Live) field, sending probes with incrementing TTL values and collecting ICMP Time Exceeded responses from each hop.

Every IP packet carries a TTL field, decremented by 1 at each router hop. When TTL reaches 0, the router discards the packet and sends an ICMP "Time Exceeded" message back to the source — crucially, this message includes the router's IP address.

Mechanics: Traceroute sends the first probe with TTL=1. The first router decrements TTL to 0, discards the packet, and sends back an ICMP Time Exceeded message from its own IP address. Traceroute records that IP as hop 1 and the round-trip time. It then sends probes with TTL=2, reaching the second router. This continues until either the destination is reached or the maximum hop count is hit (usually 30).

Probe Protocols: Unix traceroute uses UDP probes to high-numbered ports (33434+) by default. Windows tracert uses ICMP Echo Requests. traceroute -T uses TCP SYN packets (bypasses firewalls that block ICMP/UDP).

Three Probes Per Hop: Traceroute sends three probes per TTL value to measure RTT variation. The three RTT values show jitter and packet loss at each hop. An asterisk (*) means no response — either the router drops probes without sending ICMP, or the ICMP response is blocked by a firewall.

Asymmetric Routing: Traceroute only shows the forward path. Return packets may take completely different routes, so the displayed path is not necessarily symmetric. The RTT at each hop includes the full round-trip to that router, not just the one-way latency.

ECMP: On networks using ECMP (Equal-Cost Multi-Path), each probe for the same TTL may take a different path, producing seemingly random hops. Per-flow hashing means successive probes with the same 5-tuple typically follow the same path.

Free online editor
Edit this diagram in Graphlet
Fork, modify, and export to SVG or PNG. No sign-up required.
Open in Graphlet →

Frequently asked questions

Traceroute is a network diagnostic tool that discovers the sequence of routers between a source and destination by exploiting the IP TTL field. It sends probe packets with incrementing TTL values, collecting ICMP Time Exceeded messages from each router that discards a probe. The result is a hop-by-hop map of the network path with round-trip time measurements at each hop.
Traceroute sends the first probe with TTL=1. The first router decrements TTL to 0, drops the packet, and sends an ICMP Time Exceeded message from its own IP. Traceroute records that IP as hop 1. It then sends probes with TTL=2, reaching hop 2. This continues, incrementing TTL by 1 each time, until the destination is reached or the maximum hop count (typically 30) is hit. Three probes are sent per TTL to measure RTT variance.
An asterisk means no ICMP response was received within the timeout period. This usually means the router at that hop is configured not to send ICMP Time Exceeded messages (common on core internet routers), or a firewall is blocking ICMP responses. It does not necessarily mean the path is broken — the probe may still be forwarding correctly through that hop.
Unix `traceroute` sends UDP probes to high-numbered ports (33434+) by default, while Windows `tracert` sends ICMP Echo Requests. Unix also supports TCP SYN mode (`traceroute -T`) which bypasses firewalls that block ICMP and UDP but allow TCP — useful for tracing paths through enterprise firewalls to a specific port.
mermaid
sequenceDiagram participant Src as Source Host participant R1 as Router 1 (hop 1) participant R2 as Router 2 (hop 2) participant R3 as Router 3 (hop 3) participant Dst as Destination Host note">Note over Src: Probe 1: TTL=1 Src->>R1: UDP probe (dst port 33434) TTL=1 note">Note over R1: TTL decremented to 0\nDiscard packet R1-->>Src: ICMP Time Exceeded\nFrom: 10.0.0.1 RTT=5ms note">Note over Src: Hop 1: 10.0.0.1 (5ms) note">Note over Src: Probe 2: TTL=2 Src->>R1: UDP probe TTL=2 R1->>R2: Forward, TTL=1 note">Note over R2: TTL decremented to 0 R2-->>Src: ICMP Time Exceeded\nFrom: 172.16.0.1 RTT=18ms note">Note over Src: Hop 2: 172.16.0.1 (18ms) note">Note over Src: Probe 3: TTL=3 Src->>R1: UDP probe TTL=3 R1->>R2: Forward TTL=2 R2->>R3: Forward TTL=1 note">Note over R3: TTL decremented to 0 R3-->>Src: ICMP Time Exceeded\nFrom: 203.0.113.1 RTT=35ms note">Note over Src: Hop 3: 203.0.113.1 (35ms) note">Note over Src: Probe 4: TTL=4 Src->>R1: UDP probe TTL=4 R1->>R2: Forward TTL=3 R2->>R3: Forward TTL=2 R3->>Dst: Forward TTL=1 note">Note over Dst: TTL still 1 — deliver\nPort unreachable response Dst-->>Src: ICMP Port Unreachable\nDestination reached RTT=42ms
Copied to clipboard