Traceroute And Path Analysis
Category: Network Tools and Commands
Type: Network Tools & Commands
Generated on: 2025-07-10 09:13:33
For: Network Engineering, Administration & Technical Interviews
This cheatsheet provides a comprehensive guide to traceroute and path analysis tools, focusing on practical usage for network administrators and engineers.
1. Tool Overview
- Traceroute (Linux/macOS): A network diagnostic tool that records the route (the specific gateway computers at each hop) that packets take from your computer to a specified destination host. It works by sending packets with incrementing Time-To-Live (TTL) values. Each router along the path decrements the TTL. When the TTL reaches zero, the router sends back an ICMP “Time Exceeded” message. Traceroute uses these messages to identify each hop.
- Tracert (Windows): The Windows equivalent of traceroute, performing the same function. It also defaults to using ICMP echo requests.
- Pathping (Windows): A command-line tool that combines the functionality of ping and traceroute. It sends packets to each router along the path over a period of time, then computes results based on the packets returned from each router. This allows you to see if a particular router is experiencing packet loss.
- MTR (My Traceroute) (Linux/macOS): A dynamic network diagnostic tool combining the functionality of ping and traceroute in a single program. It continually sends packets to each hop along the path, providing real-time statistics on latency and packet loss. It is more robust than traceroute because it doesn’t rely on a single set of packets.
When to Use:
- Traceroute/Tracert: To identify the path packets take to a destination, pinpoint network bottlenecks, and diagnose connectivity issues.
- Pathping: To identify routers along a path experiencing packet loss. Useful for pinpointing intermittent problems.
- MTR: To continuously monitor the path to a destination and identify routers with high latency or packet loss over time. Excellent for troubleshooting intermittent issues and identifying persistent network problems.
2. Basic Syntax
-
Traceroute (Linux/macOS):
Terminal window traceroute [options] <destination> -
Tracert (Windows):
Terminal window tracert <destination> -
Pathping (Windows):
Terminal window pathping [options] <destination> -
MTR (Linux/macOS):
Terminal window mtr [options] <destination># ormtr -rw <destination> > mtr_output.txt # Report mode, write to file
3. Practical Examples
-
Basic Traceroute to Google (Linux/macOS):
Terminal window traceroute google.comtraceroute to google.com (142.250.185.142), 30 hops max, 60 byte packets1 _gateway (192.168.1.1) 1.234 ms 1.345 ms 1.456 ms2 10.0.0.1 (10.0.0.1) 5.678 ms 6.789 ms 7.890 ms3 ... -
Basic Tracert to Google (Windows):
Terminal window tracert google.comTracing route to google.com [142.250.185.142]over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 192.168.1.12 5 ms 6 ms 5 ms 10.0.0.13 ... -
Basic Pathping to Google (Windows):
Terminal window pathping google.comTracing route to google.com [142.250.185.142]over a maximum of 30 hops:0 myhost.example.com [192.168.1.100]1 192.168.1.12 10.0.0.13 ...Computing statistics for 75 seconds...Source to Here This Node/LinkHop RTT Lost/Sent = Pct Lost/Sent = Pct Address0 myhost.example.com [192.168.1.100]1 0ms 0/ 100 = 0% 0/ 100 = 0% 192.168.1.12 5ms 0/ 100 = 0% 0/ 100 = 0% 10.0.0.13 ... -
Basic MTR to Google (Linux/macOS):
Terminal window mtr google.com(This will display a dynamic, updating report in the terminal)
4. Common Options
-
Traceroute (Linux/macOS):
-n: Do not resolve IP addresses to hostnames. Faster and avoids DNS issues.-I: Use ICMP instead of UDP (default). Useful when UDP is blocked.-T: Use TCP SYN packets. Useful for probing firewalls and identifying TCP-based connectivity issues. Requires root privileges.-m <max_hops>: Set the maximum number of hops to probe. Useful for limiting the scope of the traceroute.-w <wait_time>: Set the wait time for a response in seconds.-q <num_queries>: Set the number of probes per hop (default is 3).
-
Tracert (Windows):
-d: Do not resolve IP addresses to hostnames.-h <max_hops>: Set the maximum number of hops to probe.-w <timeout>: Set the timeout for a response in milliseconds.-4: Force using IPv4-6: Force using IPv6
-
Pathping (Windows):
-h <max_hops>: Set the maximum number of hops to probe.-n: Do not resolve IP addresses to hostnames.-p <period>: Set the period between pings in milliseconds.-q <num_queries>: Number of queries per hop.-w <timeout>: Set the timeout for a response in milliseconds.
-
MTR (Linux/macOS):
-r: Report mode. Displays a single report instead of the interactive display.-w: Wide report mode. Shows more information in report mode.-n: Do not resolve IP addresses to hostnames.-c <number>: Specify the number of pings to send.--report-cycles <number>: Set the number of cycles to run in report mode.
5. Advanced Usage
-
Traceroute with ICMP (Linux/macOS): Useful when UDP is blocked.
Terminal window traceroute -I google.com -
Traceroute with TCP SYN (Linux/macOS): Useful for testing firewall rules. Requires root privileges.
Terminal window sudo traceroute -T -p 80 google.com # Trace route using TCP port 80 -
Traceroute to a Specific Port (Linux/macOS): Useful for verifying connectivity to services.
Terminal window traceroute -T -p 443 google.com # Trace route using TCP port 443 (HTTPS) -
MTR in Report Mode to File (Linux/macOS): Collect data for later analysis.
Terminal window mtr -rw google.com > mtr_output.txt -
Pathping with Increased Probe Count (Windows): Get more accurate loss statistics.
Terminal window pathping -q 200 google.com -
Tracing IPv6 Addresses:
Terminal window traceroute 2001:4860:4860::8888 # Linux/macOStracert 2001:4860:4860::8888 # Windows
6. Troubleshooting Scenarios
- High Latency on a Specific Hop: Indicates a bottleneck at that router or a congested link. Investigate the router’s resources (CPU, memory) and the link’s utilization.
- Packet Loss on a Specific Hop (Pathping/MTR): Could indicate a failing router, a congested link, or a router configured to rate-limit ICMP traffic.
- Time Exceeded in Transit (TTL Expired) Messages: Normal part of traceroute operation. Indicates the path is being discovered.
- Request Timed Out: Indicates that a router is not responding to probes. Could be due to a firewall blocking the traffic, a router being down, or a network outage. If it occurs on the first hop, it means the local gateway is unreachable.
- Destination Unreachable: Indicates that the destination host is unreachable. Could be due to a routing problem, a firewall blocking the traffic, or the destination host being down. Verify DNS resolution and routing tables.
- Asterisks (*) in Traceroute Output: Indicate a timeout. The probe packet didn’t receive a response within the allotted time. This can be due to firewalls, rate limiting, or network congestion. A few asterisks are normal, but a long string of them indicates a problem.
- Routing Loops: Packets bounce between routers before eventually timing out. Look for repeated IP addresses in the traceroute output. This indicates a misconfigured routing table.
7. Output Interpretation
- Hop Number: The sequential number of the hop from the source.
- Hostname/IP Address: The hostname (if resolved) and IP address of the router at that hop.
- Latency (RTT): The round-trip time (in milliseconds) for probes to reach that hop and return. Multiple values indicate multiple probes were sent.
- Packet Loss (Pathping/MTR): The percentage of packets lost at that hop.
Analyzing MTR Output:
MTR provides a continuous view. Look for consistently high latency or packet loss on specific hops. A sudden spike in latency or loss can indicate a temporary issue. The “Best,” “Avg,” “Worst,” and “StDev” columns provide statistics on latency.
8. Security Considerations
- Information Disclosure: Traceroute reveals the network topology and IP addresses of routers along the path. Consider this when performing traceroutes to sensitive destinations.
- Denial-of-Service (DoS): Excessive traceroute activity can potentially overload network devices. Use traceroute responsibly and avoid running it continuously for extended periods.
- Firewall Evasion: Using TCP SYN traceroute can sometimes bypass firewalls that block UDP or ICMP traffic. Be aware of the implications when using these techniques.
- Rate Limiting: Many routers are configured to rate-limit ICMP traffic, which can result in incomplete or inaccurate traceroute results. Consider using TCP-based traceroute when possible.
Best Practices:
- Use traceroute judiciously and only when necessary for troubleshooting.
- Avoid running traceroute continuously for extended periods.
- Be aware of the potential security implications of revealing network topology.
- Consider using TCP-based traceroute when ICMP is unreliable.
- Interpret traceroute results in conjunction with other network monitoring tools.
9. Platform Differences
-
Linux/macOS:
- Traceroute is typically installed by default.
- Requires root privileges for TCP SYN traceroute (
sudo traceroute -T). - Supports a wider range of command-line options.
- MTR is readily available through package managers (apt, yum, brew).
-
Windows:
- Tracert is the default traceroute tool.
- Pathping is included for more detailed path analysis.
- MTR can be installed, but requires downloading a separate binary.
- Fewer command-line options compared to Linux/macOS traceroute.
- No built-in TCP SYN traceroute functionality; requires external tools.
-
PowerShell on Windows:
PowerShell has
Test-PathandTest-Connectioncmdlets that can be used for basic path verification, but they do not provide the same level of detail astracertorpathping.
This cheatsheet provides a starting point for using traceroute and path analysis tools. Experiment with the different options and techniques to gain a deeper understanding of network behavior. Remember to be mindful of security considerations and use these tools responsibly.