What Does traceroute Do?

Core idea

traceroute (Linux/BSD/macOS) maps the sequence of routers toward a destination by sending probe packets whose TTL (IPv4) or hop limit (IPv6) starts at 1 and increases each round. When a transit router decrements TTL to zero, it normally returns an ICMP Time Exceeded message naming itself (or an interface address). The tool records RTT samples for that hop. The final hop typically responds with a port unreachable (UDP mode), ICMP echo reply (some ICMP modes), or TCP RST/response depending on implementation and flags.

Why implementations differ

Variant	Typical probes	Firewall reality
Linux default	UDP to high destination ports	Some edges block UDP but allow TCP 443
`traceroute -I`	ICMP echo like ping	Closer to Windows tracert behavior
`traceroute -T -p 443`	TCP SYN toward a port	Often needs privileges; simulates app-like paths
Windows `tracert`	ICMP echo with rising TTL	Middle boxes may treat ICMP differently from your TCP app

Reading the output

Asterisks mean no reply before the timeout—often rate limiting, ACLs, or asymmetric paths—not proof the hop is offline. A single inflated RTT on a middle router may reflect slow-path ICMP generation, not application latency—validate with end-to-end TCP or HTTP timings.

Related tools

mtr combines traceroute with continuous loss/latency sampling. pathping on Windows performs a similar multi-phase idea. For DNS-specific failures, still run dig/nslookup alongside path tools.

Frequently Asked Questions

Q.Is traceroute the same as ping?

No. ping tests reachability to one host with echo requests. traceroute walks the path hop-by-hop using TTL expiry (and variant-specific final responses) to reveal routers in between.

Q.Why does Linux traceroute default to UDP?

Historical and practical: sending UDP to unlikely high ports elicits ICMP port unreachable at the destination while still generating time-exceeded replies along the path. Your distribution may default differently—check traceroute --help.

Q.What do stars (*) in traceroute mean?

No reply was received for that probe within the wait window—often ICMP filtering, rate limits, load balancers, or asymmetric return paths—not necessarily a broken link.

Q.Does traceroute show the return path?

No. It only reveals forward-path routers that honor TTL and respond. Return traffic may take different asymmetric routes invisible to classic traceroute.

Q.Why does traceroute to a CDN look confusing?

Anycast and per-flow load balancing can make successive probes hit different edges or POPs, reordering hops. Run longer samples (mtr) and compare DNS answers you actually use.

Q.When should I use TCP traceroute?

When ICMP or UDP probes are blocked but TCP to a well-known port (for example 443) is allowed—helps approximate the path your application traffic might take.

Q.Does traceroute need root?

Often for raw ICMP or certain TCP modes. UDP defaults may work unprivileged on some systems; if you see permission errors, retry with sudo or adjust flags per the man page.

Q.How does this relate to Windows tracert?

tracert is Microsoft's ICMP-based traceroute. Middle boxes may treat it differently from Linux UDP traceroute—compare results when diagnosing cross-platform issues.