Many network engineers use the Traceroute command very often. They need a basic tool to determine a path from node A to node B. So they simply type “traceroute” or “tracert” without really knowing what it is doing in the background.
This article will demystify some of the dark operations of Traceroute. And when you learn all this stuff, you will become a Traceroute wizard.
What Traceroute does is it displays the Round-Trip Time (or two-way delay) between a source node and each other node in the network path. The Round-Trip Time is calculated with this formula:
The time stamp when a hop sends the ICMP Time Exceeded message
the time stamp when the SRC sends the probe
The Round Trip Time calculated by Traceroute must not be confused with the Round Trip Time of a TCP connection. Although both concepts measure a delay, they are different. The first measures the delay between sending a probe and receiving a response. The second measures the time elapsed from sending a TCP segment to receiving an ACK.
How the Traceroute Command Works
In the first round, the source host (denoted as SRC) sends three probe packets with TTL=1 each. First hop receives each probe packet, decreases its TTL value to 0, drops the packet and sends back an ICMP type 11, Code 0 (which corresponds to ICMP Time Exceeded, Time to Live Exceeded in Transit).
The response contains the original probe in its payload.
Probes can be either UDP datagrams (Linux machines, Cisco devices) or ICMP Echo messages (Windows machines).
The Wireshark captures in this article are relative to UDP probing. But the concept of ICMP probing is not very different.
In UDP probing, each probe packet size will be at least 8 Bytes, and each ICMP reply will contain the whole 8 Bytes in its payload, because the minimum size of the UDP header is 8 Bytes.
Some documents mention simply a ICMP TTL Exceeded message, in reference to ICMP Type 11 Code 0.
In the second round, SRC sends three new probes, where each probe packet has an incremented TTL value (TTL=2). First hop reads the packet, decrements TTL and sends it to second hop. Second hop decrements TTL (to 0), drops the packet and sends back an ICMP Type 11 Code 0 message, with the original probe in its payload.
This process continues where SRC sends probes with incremented TTL value. It stops when the destination host (denoted as DST) sends an ICMP Type 3 Code 3 (ICMP Destination Unreachable, Port Unreachable) to SRC.
Most implementations of traceroute send 3 probes in each round. That’s why we see the three TL values in each traceroute line
Traceroute can use TCP, UDP or ICMP for probing. If the probes are UDP-based, then the first probe will be sent to destination port 33434.
The subsequent probes will have incremented destination port numbers (33435, 33436,…).
Why is the final ICMP response is Destination Unreachable, Port Unreachable? because the port solicited by the Traceroute command is usually not associated with any application.
Some Traceroute Considerations
- When Traceroute displays asterisks, it means that the response to the Traceroute timed out.
- Even though traceroute displays the round-trip time, it displays only the forward path; the reverse path can be different from the forward path, but we can not determine it from traceroute
- If the reverse path is slow or is congested, it affects the Round-Trip Time.
- We usually can determine the locations of the nodes from reading traceroute