Impossible tri-bar

Digital Phenomena - Your first stop for internet consultancy 
Examine Your Network with Ping and Traceroute

Page 2 — Traceroute: Cool Network Tool

While ping is useful, it only lets us measure how long a packet takes to get from one host to another. Wouldn't it be nice to have a tool that can trace out the path that a packet takes? Well, that's exactly what the appropriately named traceroute command does.

Traceroute on Unix and Linux (or tracert in the Microsoft world) attempts to trace the current network path to a destination. Here is an example of a traceroute run to

    $ traceroute
    traceroute to amber.Berkeley.EDU (, 30 hops max, 40 byte packets 
    1 ( 3.135 ms 3.021 ms 3.616 ms 
    2 ( 1.829 ms 3.886 ms 2.772 ms 
    3 ( 5.327 ms 4.597 ms 5.729 ms 
    4 ( 4.842 ms 4.615 ms 3.425 ms 
    5 ( 7.488 ms 38.804 ms 7.708 ms
    6 ( 6.560 ms 6.631 ms 6.565 ms 
    7 ( 7.638 ms 7.948 ms 8.129 ms
    8 ( 9.504 ms 12.684 ms 16.648 ms 
    9 ( 9.762 ms 10.611 ms 10.403 ms
    10 f0-0.inr-107-eva.Berkeley.EDU ( 11.478 ms 10.868 ms 9.367 ms 
    11 f8-0.inr-100-eva.Berkeley.EDU ( 10.738 ms 11.693 ms 11.520 ms 
    12 amber.Berkeley.EDU ( 10.615 ms 10.693 ms 9.802 ms 

Note how it lists the intermediary nodes (my people call 'em routers) between you and the destination. There are three sample times for each router that reflect how long the packet took to get from here to there.

To understand how to fully interpret the traceroute output, you need to know a bit about how it works. It uses two concepts I brought up in my earlier article about ping: the Time to Live (TTL) field in the IP packet (which tells us approximately how many router hops the packet can make before it dies or gets returned) and ICMP control messages (which are special IP control messages used to send network information between two hosts).

Traceroute works by addressing a packet to a (hopefully) unlistened-to UDP port on the destination machine (the default is port 33434). For the initial three packets, it sets the TTL to 1 and releases the packet. The packet then gets transferred to the first router (completing the first hop, in networkese), and the TTL gets decremented by the router from 1 to 0. The router then discards the packet and sends off an ICMP notification packet to our host with the message that the TTL expired from this router. This tells traceroute what the first hop is and how long it takes to get there (among other things). It repeats this, gradually incrementing the TTL until a path to the remote host is traced and it gets back an ICMP Port Unreachable message, indicating that the remote host has been reached (that's why an unlistened-to port is used, so that the packet gets responded to instead of eaten by some random service).

next page»

|Home|About Us|Services|Search|
W3C validatedW3C validated CSSCompatible with all browsers