Traceroute is less a tool to "see" your network path and more a clever hack to force routers to tell you what they think your path is.
Let’s see it in action. Imagine we want to trace the path to google.com.
traceroute google.com
Here’s a sample output:
traceroute to google.com (142.250.184.142), 64 hops max, 52 byte packets
1 router.local (192.168.1.1) 1.234 ms 1.567 ms 1.890 ms
2 10.0.0.1 (10.0.0.1) 5.678 ms 5.901 ms 6.123 ms
3 203.0.113.1 (203.0.113.1) 10.111 ms 10.345 ms 10.567 ms
4 198.51.100.1 (198.51.100.1) 15.789 ms 15.901 ms 16.123 ms
5 * * *
6 172.16.0.1 (172.16.0.1) 20.345 ms 20.567 ms 20.789 ms
7 203.0.113.2 (203.0.113.2) 25.901 ms 25.123 ms 25.345 ms
8 142.250.184.142 (142.250.184.142) 30.456 ms 30.678 ms 30.901 ms
What’s happening here is not that your packet is visiting each of these IP addresses in sequence and then reporting back. Instead, traceroute uses a clever trick with the Time To Live (TTL) field in IP packets.
When you send a packet, it has a TTL value. Each router that handles the packet decrements the TTL by one. If a router receives a packet with a TTL of 1, it decrements it to 0, discards the packet, and crucially, sends an ICMP "Time Exceeded" message back to the original sender. Traceroute sends a series of UDP packets (or sometimes ICMP Echo Request packets, depending on the implementation) with incrementally increasing TTL values, starting from 1.
The first packet has TTL=1. The first router decrements it to 0, discards it, and sends back an ICMP "Time Exceeded" message. Traceroute records the IP address of the router that sent this message and the round-trip time. The second packet has TTL=2. It gets through the first router (TTL becomes 1), but the second router decrements it to 0, discards it, and sends back an ICMP "Time Exceeded" message. Traceroute records this second hop. This continues, incrementing the TTL by one for each subsequent probe, until the destination is reached. When the destination receives the packet, it usually responds with an ICMP "Port Unreachable" message (because the UDP port traceroute uses is typically not open), and traceroute knows it’s arrived.
The asterisks (* * *) indicate that no ICMP "Time Exceeded" message was received from a router within the timeout period. This can happen for several reasons: the router might be configured not to send ICMP messages, it might be overloaded, or there might be a firewall blocking the ICMP response. It doesn’t necessarily mean the packet didn’t reach that router, just that a response wasn’t sent back.
The system solves the problem of understanding the intermediate network devices (routers) that your data traverses between your machine and a destination server. It helps diagnose network latency issues by pinpointing which hop is introducing the delay, and it can reveal unexpected routing paths. You control the destination and the number of probes sent to each hop (usually three by default).
The most surprising thing about traceroute is that the "hops" it reports aren’t necessarily the only path your traffic takes; they are simply the routers that responded to its specific, crafted ICMP "Time Exceeded" messages. Network paths can be dynamic, and different types of traffic (e.g., TCP SYN packets vs. UDP probes) might follow slightly different routes, especially if load balancing or failover mechanisms are in play. The TTL mechanism is a clever way to elicit information, but it’s a one-way street of discovery based on specific packet types.
The next concept to explore is how to interpret packet loss indicated by asterisks and how firewalls can interfere with traceroute’s ability to map a complete path.