Understanding Traceroute

IF you need to figure out why your network is running slow, understanding the traceroute (tracert on Windows) command to spot the slow leg of a network packet’s journey and troubleshoot sluggish network connections.  This article will show you how.

How traceroute Works

Understanding how the “traceroute” command works makes interpreting the results much easier. The more complicated the route a network packet takes to reach its destination, the harder it is to troubleshoot a network problem where  slowdowns might be occurring. The traceroute command is a great tool to investigate network routing, check connection speeds, or identify bottlenecks. Windows has a tracert command that functions similarly. A small organization’s local area network (LAN) is usually relatively simple in structure, with at least one server and a router or two. The complexity increases on a wide area network (WAN) that communicates between different locations or via the internet. As packets traverse networks, they encounter a lot of of devices like routers and gateways. Data packet headers, defined by the protocol’s specifications, contain metadata which describes the packet’s length, where it came from, where it’s going, the protocol it’s using, and so on.  This means that if you can identify the protocol, you can determine the start and end of each field in the header and read the metadata. Traceroute uses the TCP/IP suite of protocols, and sends User Datagram Protocol packets. The header contains the Time to Live (TTL) field, which contains an eight-bit integer value. You don’t want to overload unknown devices with torrents of packets, so:

• Be wary of including traceroute in scripts or unattended jobs.
• Unless you’re in an urgent situation,  use traceroute outside of normal business hours as the load placed on a network might adversely impact its performance.

How TTL Works

TTL, despite its name, represents a count, not a duration. As a packet travels from its origin to its destination, each time the packet arrives at a router, it decrements the TTL counter. If the TTL value ever reaches one, the next router that receives the packet decrements the TTL value to zero. The packet is then discarded rather than forwarded to the next hop of its journey because it “timed out”. The router sends an Internet Message Control Protocol (ICMP) Time Exceeded message, containing the original header and the first 64 bits of the original packet’s data, back to the origin of the packet to let it know the packet timed out.  If traceroute sends a packet out with a TTL sets to one, the packet gets to the first router and it gets discarded. The sender receives an ICMP time exceeded message from the router, and records the time it took for the round trip. This process repeats, incrementing TTL by 1 each time, until it hits 30.

Installing traceroute

When you first go to use traceroute, you may be present with something that looks like this, which means you need to install traceroute in order to use it.

In order to install traceroute on Linux, use the following command:

Using traceroute

The goal of using traceroute purpose is to elicit responses from routers at each hop along the path from your computer to the destination. You will find that you get varying amounts of information from each router.

Using traceroute’s Flags

The first time you go to use traceroute, you may find that it isnt working as you expected and you get a screen full of “****” as in the image below.

A likely reason for this error is Linux traceroute defaults to UDP (Linux uses high UDP ports for tracing hosts and sometime firewalls block these UDP ports.) whereas by default Window’s tracert uses ICMP. Using the -I option for traceroute should produces the expected results. As an example, let’s run a traceroute, with the “-I” flag to “the” google.

The first line tells us :

• The destination and its IP address.
• The number of hops traceroute will try before giving up.
• The size of the packets being sent.

All of the other lines contain information about one of the hops. Before we dig into the details, though, we can see there are 11 hops between our computer and Google.com. Hop 11 also tells us that we reached our destination. The format of each hop line is as follows:

• The name of the device;
  •  If the device doesn’t identify itself, the IP address.
• The IP address;
• The time it took round trip for each of the three tests. If an asterisk is here, it means there wasn’t a response for that test. If the device doesn’t respond at all, you’ll see three asterisks, and no device name or IP address.
  • You saw this error response above when Traceroute was misconfigured

You can see it took 11 hops to get to Google from our IP address. Some devices  responded with names and others with just IP addresses, however none remained completely anonymous.

Traceroute Options

Hide Device Names

Including device names leads to a cluttered display, so make it easier to see the data, by using the “-n” (no mapping) option as seen in the image below.

This makes it easier to pick out large numbers for round-trip timings that could indicate a bottleneck.

Setting the traceroute Timeout Value

Extending the default timeout period of five seconds to ten seconds with the “-w” (wait time) option may get more responses. The command looks like this:

traceroute -Iw 10.0 google.com

Setting the Number of Tests

As a default traceroute sends three packets to each hop but this can be changed with the -q (number of queries) option to increase/decrease the number of packets . Speed up the test by reducing the number of probe packets sent:

traceroute -Iq 1 google.com

Setting the Initial TTL Value

The initial value of TTL can be set to something other than one, in order to skip some hops. Usually, the TTL values are set to one for the first set of tests, two for the next set of tests, and so on. If we set it to five, the first test will attempt to get to hop five and skip hops one through four. Because we know Google’s website is 11 hops from our computer, we type the following to go straight to Hop 11:

traceroute -If 11 google.com