The TTL Trick That Makes Traceroute Work
Every IP packet carries a field called TTL — Time To Live. It is not a time value in seconds; it is a hop counter. When a router receives a packet, it decrements the TTL by 1. If TTL reaches 0, the router discards the packet and sends an ICMP Type 11 "Time Exceeded" message back to the sender — crucially, from the router's own IP address.
Traceroute exploits this behavior deliberately. It sends a series of probe packets with incrementally increasing TTL values. The first packet has TTL 1, so it expires at the first router, which reveals itself with a Time Exceeded message. The second packet has TTL 2, reaching the second router before expiring. This continues until the packet reaches the final destination, which responds with an ICMP Echo Reply or a "port unreachable" message.
The result is a complete hop-by-hop map of the network path with a round-trip time measurement at each step. On Linux and macOS, the command is traceroute. On Windows, it is tracert. The tool mtr extends this concept with continuous probing.
What the Output Tells You
Each line in a traceroute represents one router hop. The line shows the hop number, the hostname or IP address of the router at that hop, and three round-trip time measurements in milliseconds — one for each of the three probe packets sent to that hop.
The three measurements let you assess consistency. If all three values are similar, the latency at that hop is stable. If one value is much higher than the others, there was a momentary delay or rate-limiting on that probe. If all three are consistently high, that hop genuinely adds latency to your path.
The cumulative latency should increase as hops progress — each additional router and the cable connecting it adds delay. If latency drops at a later hop, that is usually a measurement artifact (ICMP rate-limiting at an intermediate hop) rather than genuine backwards routing.
Reading a Real Traceroute
Here is a realistic traceroute from a home network to a content server, showing 10 hops with typical latency values:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 1.2 ms 1.1 ms 1.0 ms
2 10.18.64.1 (10.18.64.1) 8.4 ms 8.6 ms 8.5 ms
3 100.64.0.1 (100.64.0.1) 11.2 ms 11.0 ms 11.3 ms
4 be-304.rcr01.bos01.isp.net 12.8 ms 12.9 ms 12.7 ms
5 be-7.rcr02.nyc01.isp.net 18.3 ms 18.1 ms 18.4 ms
6 ae-5.edge01.nyc01.isp.net 19.0 ms 18.8 ms 19.1 ms
7 ae-2.pni01.nyc01.edge.net 20.4 ms 20.3 ms 20.5 ms
8 ae-4.core01.nyc01.edge.net 21.1 ms 21.0 ms 20.9 ms
9 ae-9.dc01.bos01.edge.net 24.7 ms 24.5 ms 24.8 ms
10 93.184.216.34 (93.184.216.34) 25.2 ms 25.1 ms 25.3 msHop 1 is the home router at under 2 ms. Hops 2 and 3 are ISP infrastructure — the jump from 1 ms to 8 ms reflects the last-mile connection. Hops 4 through 6 traverse the ISP's backbone with modest latency additions. Hops 7 through 9 are on a content delivery network's infrastructure. Hop 10 is the destination itself at just over 25 ms — a healthy result for a cross-region request.
What Asterisks Mean
An asterisk in place of a latency value means traceroute did not receive a response for that probe within the timeout window (usually 5 seconds). There are two common explanations.
The first and most common: the router at that hop is configured to not generate ICMP Time Exceeded messages. Many network operators disable or rate-limit ICMP responses on transit routers to reduce processing overhead and avoid exposing internal topology. The router is fully functional and is forwarding your traffic — it simply does not reply to TTL-expired packets. You will often see asterisks at several hops in the middle of a traceroute while the final destination still responds normally.
The second explanation: genuine packet loss. If you see asterisks starting at a particular hop and all subsequent hops also show asterisks, the path is genuinely broken at that point. The distinction matters: a lone asterisk in an otherwise healthy trace is harmless. A wall of asterisks from hop N onwards indicates a real routing failure.
traceroute vs tracert vs mtr
| Tool | OS | Protocol | Notes |
|---|---|---|---|
traceroute | Linux, macOS | UDP (default) or ICMP | Standard Unix tool; use -I for ICMP mode, -T for TCP probes |
tracert | Windows | ICMP Echo Request | Windows built-in; same concept, ICMP-only, no TCP option |
mtr | Linux, macOS | ICMP or UDP | Continuous probing with live packet loss and latency stats per hop; far more useful for diagnosing intermittent problems |
PathPing | Windows | ICMP | Windows alternative to mtr; probes each hop for 100 packets and reports loss percentage |
What to Look for When Diagnosing Latency
When using traceroute to diagnose a latency problem, focus on where latency increases significantly between adjacent hops. A jump of 20 ms or more between consecutive hops points to a slow link or a congested segment between those routers. If the jump happens at your ISP's edge router, the problem is likely in the last mile or at peering. If it happens further downstream, the issue is in transit or at the destination's network.
Also watch for asymmetric latency — situations where the outbound path (your traceroute) looks clean but downloads feel slow. Traceroute only shows you the forward path; return traffic may take a completely different route. Tools like mtr used in combination with a reverse traceroute from the destination can reveal return-path problems.
Finally, do not obsess over individual hop latency values. What matters most is the latency at the final destination. High intermediate hop latency that does not translate to high final latency is almost always an ICMP rate-limiting artifact.
Frequently Asked Questions
What does traceroute show?
Traceroute shows every router between your computer and a destination, along with the round-trip time to each hop. It reveals the network path your traffic takes and where latency is introduced or where packet loss begins.
What do the three numbers per hop mean?
Each hop displays three round-trip time values in milliseconds, one for each probe packet sent. Three measurements allow you to spot inconsistency — a single outlier suggests a momentary delay, while consistently high values indicate genuine latency at that hop.
Why do some hops show asterisks?
An asterisk means no response arrived within the timeout. The router at that hop likely drops ICMP Time Exceeded messages as a policy decision. This does not mean the hop is broken — subsequent hops often respond normally. Only worry if asterisks appear continuously from one hop all the way to the destination.
What is the difference between traceroute and ping?
Ping tests reachability to a single host and measures round-trip time. Traceroute maps every intermediate router on the path. Use ping for a quick check; use traceroute when you need to identify which part of the network path is causing a problem.
What does it mean if latency suddenly jumps at one hop?
A sudden jump may indicate rate-limited ICMP responses at that router (the router is deprioritizing ICMP replies relative to normal traffic) or a genuinely slow link between that hop and the previous one. If latency stays high for all subsequent hops, the slow link is real. If subsequent hops return to lower latency, it was an ICMP artifact.
What is mtr?
mtr (Matt's Traceroute) combines traceroute and ping into a continuously updating display. It probes each hop repeatedly and reports packet loss percentage and average round-trip time per hop over time. This makes it the best tool for diagnosing intermittent packet loss or jitter, which a single traceroute run cannot reliably detect.