Traceroute is one of the most used network diagnostic tool used to display the hops(routers) through which a packet travels from source to destination. It also gives you the round trip time (RTT) from source to each hop on the path. RTT is the time taken in milliseconds for a packet to reach the destnation and return back to source. If you are experiencing latency(delay) in your network, then you can use traceroute utility to troubleshoot the issue.
We need to know some basic things in order to fully understand traceroute.
TTL(Time to live): TTL is the number of hops/routers a packet can traverse before it is discarded. The idea behind TTL is to restrict a packet from traversing the internet/network infinitely if there is a loop. Each hop/router is going to decrease the TTL value by 1 if the packet traverses through it.It is a 8 bit value in IPv4 header, so the maximum value of TTL can be 2^8-1=255.This field is called “Hop Count” in IPv6 Header.
When a device or computer is sending a packet to a destination, it sets a particular value for TTL in the IP header. Then the intermediate hops/routers decrease the TTL value by 1 . When the TTL value reaches to 0, the packet will be discarded and an ICMP TTL exceeded message(ICMP message type:11, code:0) is sent to the source of the packet.
Now, coming back to traceroute discussion.
When we traceroute an IP address, traceroute utility is going to send an ICMP Echo request message (type:8, code:0) with a TTL value of 1 in the IP header. So, when the Packet reaches to the first router or gateway, the gateway will check its forwarding table (CEF) for destination IP address and it makes the decision to send the packet to next/2nd router. However, before sending the packet to the 2nd router, it needs to decrease the TTL value by 1. So the new TTL value is 1-1=0; and it can not forward the packet to the 2nd router as TTL is 0. It will then discard the packet and will send an ICMP TTL exceeded message back to the original sender with inbound interface IP as source IP address in the IP header.
Note:- The ICMP TTL exceeded message contains the original IP header and the first 8 bytes of original packet’s data so that the originating device can identify/match the particular request message for which it has received the reply.
When the originating device gets the ICMP TTL exceeded error massage, it will take the source IP address of this packet and will display the IP on the screen with the RTT. Now we got the IP address of the first router. By default, traceroute functionality sends 3 ICMP echo messages with TTL 1 , so we will get 3 ICMP TTL exceeded messagees.
Note:- By default, traceroute will try to resolve the IP address to a name with the help of DNS.
Now, traceroute utility will send 3 more ICMP echo messages with TTL value of 2. The packet will reach the gateway/ first router. The gateway will check its forwarding table (CEF) for destination IP address and it makes the decision to send the packet to next/2nd router. Before sending the packet to the 2nd router, it will decrease the TTL value by 1. So the new TTL value is 2-1=1.
Now, the packet reaches to the 2nd router with a TTL of 1. This router will also check it’s CEF table for the destination IP address and it makes the decision to send the packet to 3rd router. However, before sending the packet to the 3rd router, it needs to decrease the TTL value by 1. So the new TTL value is 1-1=0; and it can not forward the packet to the 3rd router as TTL is 0. It will then discard the packet and will send an ICMP TTL exceeded message (containing 28 bytes of original packet) back to the original sender with inbound interface IP as source IP address in the IP header. From this ICMP error message, the originating device will get to know the the IP address of the 2nd router.
Then, the traceroute utility will send 3 more packets with TTL of 3. The same process will happen until it reaches the destination.
Once the packet reaches the destination, the destination will respond with Echo reply (type:0, code:0). So the originating device will come to know that tracing has been successfully completed and it will display the destination as the last hop on the screen.
Note:- The originating device excepts a reply within a specified time. If it does not receive any reply in the timeline, then an asterisk(*) is displayed on the screen. Some devices on the path configured not to respond to ICMP echo requests for security reasons. So, in that case we may see an asterisk(*) as below.
There are several implementations of traceroute. It can use any of the below 3 protocols.
- ICMP( used in Windows environment)
- UDP( used in Linux environment)
We have already discussed traceroute using ICMP Echo request. Now we will see how traceroute using UDP and TCP works.
Traceroute using UDP:
By default, the traceroute utility in Linux or Unix environment uses UDP with destination port numbers ranging from 33434 to 33534 instead of ICMP echo request. However, we can force traceroute utility to use ICMP through command line.
Traceroute using UDP works the same way as with ICMP. The first set of 3 UDP packets are sent with TTL value of 1. So the originating device will get 3 ICMP TTL exceeded messages from 1st router/gateway. Then, the originating device sends next 3 UDP packets with TTL 2. The same process continues till the packet reaches the destination.
When the packet reaches the destination, the destination will check the destination port number in the UDP header. However, the destination device is not listening to that particular destination port number. So, it will send an ICMP port unreachable error message (type:3, code:3) to the originating device. From this error message, the originating device will come to know that the packet has finally reached to the destination and traceroute completed successfully.
Traceroute using TCP:
When we use TCP for traceroute, the utility will send SYN (first packet of TCP 3-way handshake) message to destination port 80 with increasing TTL each time, and it will get ICMP TTL exceeded messages in return until it reaches the destination. If you want to use any other port for example 443, 8080 etc , then you need to specify the port number explicitly in the traceroute command.
When the packet reaches the destination, it will respond with SYN+ACK (2nd packet of TCP 3-way handshake) if the destination is listening to port 80. Then, the originating device will come to know that the packet has reached the destination and will send a TCP Reset message to close the connection.