The traceroute Command

How traceroute Works

traceroute exploits the TTL (Time To Live) field in IP packets. It sends a probe packet with TTL set to 1. The first router decrements TTL to 0 and discards the packet, sending back an ICMP "Time Exceeded" message — which reveals that router's IP address and the time taken to reach it. traceroute then sends a packet with TTL 2, reaching the second hop, and so on, incrementing until the destination is reached or the maximum hop count is exhausted.

By default, Linux traceroute sends UDP datagrams to a high port, macOS sends ICMP Echo Requests, and Windows tracert sends ICMP Echo Requests. The destination host recognises the final probe and sends back an ICMP Port Unreachable (UDP) or Echo Reply (ICMP), signalling that the path is complete.

Basic Syntax

On Linux and macOS:

traceroute google.com

On Windows:

tracert google.com

Both commands accept a hostname or IP address. By default they probe up to 30 hops and send 3 probes per hop, reporting three RTT values per line.

Key Flags by Platform

Reading a Sample Output

Here is a representative 12-hop trace from a home connection to a CDN edge node:

traceroute to cdn.example.com (203.0.113.42), 30 hops max
 1  192.168.1.1          1.2 ms   1.1 ms   1.0 ms
 2  10.0.0.1             8.4 ms   8.1 ms   8.3 ms
 3  100.64.0.1          12.3 ms  12.1 ms  12.4 ms
 4  core1.isp.net       15.6 ms  15.5 ms  15.9 ms
 5  peer1.isp.net       18.2 ms  18.0 ms  18.3 ms
 6  transit.cdn.net     19.8 ms  19.5 ms  19.7 ms
 7  * * *
 8  edge1.cdn.net       21.4 ms  21.2 ms  21.5 ms
 9  203.0.113.42        22.1 ms  22.0 ms  22.3 ms

Hop 1 is your home router. Hops 2–3 are your ISP's access network. Hops 4–5 are the ISP backbone. Hops 6–9 transition through peering into the CDN. Hop 7 shows three asterisks — that router does not reply to probes but clearly forwards traffic because subsequent hops respond normally.

What Asterisks Mean and When to Worry

Three asterisks at a hop mean no ICMP Time Exceeded reply arrived within the timeout. This is extremely common and usually harmless — many routers are configured to deprioritise or drop ICMP replies to probes while still forwarding regular traffic at full speed. You should only investigate asterisks if they persist from a given hop all the way through to the destination, which suggests a genuine routing failure or firewall block.

Diagnosing Latency Spikes

Look for hops where RTT jumps significantly compared to the previous hop. A 40 ms increase at hop 6 with all subsequent hops also 40 ms higher points to a slow link at hop 6 — possibly a long-distance fibre segment or a congested peering point. If latency spikes at a hop but returns to lower values at the next hop, the high-latency hop is deprioritising probe replies rather than being genuinely slow for user traffic.

Using TCP Mode to Bypass Firewalls

Many firewalls block UDP and ICMP probes, causing traceroute to show asterisks even when the path is functional. If you know the destination has an open TCP port (such as port 80 for HTTP or 443 for HTTPS), switch to TCP mode on Linux:

traceroute -T -p 443 google.com

TCP probes are far less likely to be dropped by firewalls and give a more complete picture of the path to web servers and other TCP services. This flag requires root or sudo on most Linux distributions.

Frequently Asked Questions

What is the difference between traceroute and tracert?

traceroute is the command name on Linux and macOS. tracert is the equivalent command on Windows. Both map the path to a destination by sending packets with incrementally increasing TTL values, but they differ in defaults: Linux traceroute uses UDP packets by default, while Windows tracert uses ICMP Echo Requests. The output format is also slightly different, but both show hop-by-hop latency to the destination.

How do I run traceroute on Windows?

On Windows, the command is tracert (not traceroute). Open Command Prompt or PowerShell and type: tracert google.com. To disable DNS resolution for faster output, add the -d flag: tracert -d google.com. To increase the maximum number of hops beyond the default of 30, use -h: tracert -h 64 google.com.

What do asterisks mean in traceroute output?

An asterisk (*) means no response was received from that hop within the timeout period. This happens when a router is configured to not respond to the probe type being used (commonly UDP or ICMP), when a firewall drops the probe, or when the router is simply very busy. A few asterisks mid-path followed by a successful final hop usually means those routers silently forward traffic but do not reply to probes — not a real problem.

How can I make traceroute use ICMP instead of UDP?

On Linux, use the -I flag: traceroute -I google.com. This sends ICMP Echo Requests instead of UDP datagrams, which are less likely to be blocked by some firewalls. For TCP-based probing (to reach hosts that block both UDP and ICMP), use the -T flag: traceroute -T -p 80 google.com. On macOS, traceroute uses ICMP by default.

What does it mean if traceroute never reaches the destination?

If traceroute runs to its maximum hop count (default 30) without reaching the destination, the destination is either unreachable, a firewall is blocking the probe packets before they arrive, or the return path is broken (the packets reach the host but replies are dropped). Try switching protocols with -I for ICMP or -T for TCP. If the final hop shows asterisks but a ping or curl to the same host succeeds, a firewall is silently dropping the traceroute probes.

How many hops is normal for a traceroute?

A typical traceroute to a major internet destination crosses 10–20 hops. Fewer than 10 often means a nearby server or CDN edge node is answering. More than 25 can indicate a suboptimal or circuitous route. The total hop count matters less than where latency increases — a sudden jump of 50 ms or more at a specific hop points to a congested or geographically distant link.