Traceroute Explained

By: Grifter (the Hektik Crew)

§ Intro

Well, before you go getting your panties in a bunch, let me explain why this talk is about
traceroute. Let's face it, everyone has seen it, most of us use it often, and if you
don't, you will. TraceRoute is a great tool in the Network Technicians proverbial ToolBelt.
But I would have to say that in my experience it is used most to find the "route" that your
IP packets take on their way to and from a host machine.

If you can't seem to connect to a machine/host, you can run traceroute to see where
the problem lies. If you're trying to connect to but your packet dies on a
router in Denver, you know that the problem is not on your network, but on a network in
Denver. I just figured that since many people use it and probably don't know what it's
really doing, explaining traceroute would be a good topic.

§ TraceRoute and ICMP

TraceRoute is part of the ICMP(Internet Control Message Protocol). ICMP is mostly used in
error handling of network traffic between two systems. There were originally 11 types of
ICMP messages in RFC 792, but it has been through a few revisions and there are currently
37 types of ICMP messages flying around out there.

All ICMP messages are transmitted as IP datagrams. Prepare to fear my ASCII skills...

1 7 8 15 16 31
| Type (8-bits) | Code (8-bits) | Checksum (16-bits) |
| Unused |
| Data (Internet Header + 64 bits of Original Datagram) |

OK, let me break this down...

The "type" field holds the different values that determine which
particular message is being sent.

The "code" field holds the different sub-types of the message.

The "checksum" is a count of the number of bits in a message so
the receiver can check to see whether the same number of bits
arrived. If the counts match, it's assumed that the complete
transmission was received.

The "data" should be self-explanatory, but the IP Header is
important. The IP Header contains the source and destination
IP addresses as well as a few other values, but the one we'll
be focusing on is the TTL(Time to Live) value.

Let's compare the ICMP datagram to a journal of one of the ever so exciting events that
may be part of your life if you're 14-17 years old. Let's say you tried to go over to
your girlfriends to give her a sappy love letter(Data) you just wrote, that you know will
score big points, but you only have a half hour(30 Minute TTL) to sneak out of your house
and give it to her before your parents notice you're gone. You run a few blocks over and
throw rocks at her window trying to wake her up, but after about 20 minutes she never
comes to the window. You call it a loss and you jog back home. What you just experienced
was an ICMP "Time Exceeded" or Type 11 error. And this is what makes traceroute work.

§ How TraceRoute Works

When a packet leaves a host, it is given an initial Time To Live (TTL) count, that is
supposed to be large enough to allow it to arrive at it's destination. Each gateway that
it encounters along the way will decrease the TTL by 1. If a gateway receives a message
with a TTL of 0, the packet is dropped and an ICMP Time Exceeded message is sent back to
the source host. This keeps packets that go astray from just bouncing around the network
and wasting the precious bandwidth you abuse to download porn.

Traceroute sends an IP Datagram with a TTL value of 1 to the destination system. The first
router to handle the datagram decreases the TTL value by one and drops the packet. After
this happens the router sends an ICMP Time Exceeded message back to your system with it's
IP address as the source address. That is how you get the IP of the first router on the
way to the destination system. Then traceroute sends another datagram to the destination
system with a TTL value of 2. As it passes through the first router the value is decreased
to 1, and is then dropped by the second router it encounters. Which in turn sends it's own
ICMP error, giving you the IP address of the second router on the way to the destination
system. Traceroute will continue to increase the TTL value by 1 until the destination
system is reached.

Now, when the destination is reached, the final TTL value of 1 will not be discarded and
the packet would not be dropped. Traceroute works around this problem by sending UDP
packets to the destination system on very high ports that services are not likely to be
running on. When the packet can't be received on the designated port, the destination
machine will return a ICMP "Port Unreachable" error message. TraceRoute sees that it
has received "Port Unreachable" instead of "Time Exceeded" and knows that the destination
system has been reached, and the packets stop.

So to sum it all up... TraceRoute send UDP packets to a destination host with a TTL value
of 1 and increases that value upon receiving an ICMP Time Exceeded error message from
routers along the way. Each routers error message contains it's IP address, which is
recorded by TraceRoute. The destination system returns a Port Unreachable error which lets
TraceRoute know that its destination has been reached.

§ Conclusion

Well, I hope that wasn't too mind numbingly boring for you. Sometimes it's nice to know
what's going on behind the curtain. If you thought it sucked, why the hell did you continue
to read this far along? Shouldn't you have stopped a long time ago?

Anyway, I just hope that maybe someone got something out of this. TraceRoute is pretty kool
to use, but it's even better when you know what it's doing.

1.) Traceroute explained - Grifter

2.) Overview of a few computer security issues - madirish

3.) Footprinting: The basics of hacking - ManicVelocity

4.) DSniff: Use and Abuse - Oshu

5.) Installing Linux on your PalmOS Device - Jayson Staton

6.) Computer Robotics: Hacking towards the future of Electro-Mechanical Companionship - Jayson Staton

7.) A Quick Take on Athlon XP - biatch0

8.) The coming of Age - Dinesh Nair

9.) A newbie intro to Telnet - Kn¿ght



1 comment for 'Traceroute Explained'

A good, light article about traceroute. However, you didn't include one very important thing:

Unix's implementation of traceroute uses UDP (well, you did mention that), whereas Microsoft's implementation uses ICMP_ECHO. The reason why Unix's

traceroute uses UDP is simple: RFC 792 says:

"The ICMP messages typically report errors in the processing of datagrams. To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages."

Good enough. I am not sure why Microsoft's tracert uses ICMP_ECHO.

Now, this is certainly OK, but once I was tracerouting a site from Linux, nobody answered, but someone answered when I did tracert on W2K to the same site. Got my head scratching for a while.

Anyways, here's a traceroute to google that I did last year ( was up at that time, I merely demoed traceroute during a training session)

Question: what happened after the 13th hop?

4 500.POS2-3.IG2.SAC1.ALTER.NET ( 388.480 ms 482.683 ms

303.100 ms

5 ( 236.398 ms 387.124 ms

583.768 ms

6 ( 477.466 ms 439.282 ms

479.218 ms

7 POS6-0.BR6.SAC1.ALTER.NET ( 390.692 ms 568.693 ms 484.564


8 ( 499.923 ms 383.013 ms 320.717 ms

9 ( 1802.433 ms 374.793 ms

405.332 ms

10 ( 477.461 ms 386.228 ms

486.317 ms

11 * * *

12 ( 398.476 ms 486.035

ms 482.552 ms

13 ( 480.295 ms 381.506 ms 589.927


14 ( 667.839 ms 582.771 ms 593.948 ms

15 * *