Trace route tools and methods

Table of contents

1. What is trace routing. Why do we need tracing routes

2. How tracing routes works

3. Trace route types

4. Tracing software

5. traceroute

5.1 How to use traceroute

5.2 Traceroute methods

5.3 How to speed up tracing. How to disable reverse IP to host name translation during tracing

5.4 IPv6 tracing

5.5 How to change port for tracing

5.6 How to start tracing from a specific hop. How to reduce or increase the number of hops to trace

5.7 Select interface for tracing

5.8 How to show which autonomous system the node belongs to when tracing

5.9 Traceroute options

6. tracepath

7. mtr and mtr-gtk (console and graphic version)

8. lft

9. tcptraceroute

10. Tracerouting in Nmap

11. Ping tracing

12. Windows tracerouting

13. Conclusion

What is trace routing. Why do we need tracing routes

Network trace routing shows all intermediate nodes through which a packet passes until it reaches the specified target. That is, using tracing, you can find out which nodes, with which IP addresses, the packet is transmitted before being delivered to the destination point.

Tracing can be used to identify problems associated with the operation of a computer network, as well as to discover the network (determine the network structure, search for intermediate network nodes).

How tracing routes works

Network packets consist of two parts: headers and data. There are different information in the headers, for example, the IP addresses of the source and destination, the ports of source and destination, the type of packet, the checksum of the packet, and so on. Among the header fields, the IP protocol has a field like time to live (TTL). This is a counter with a number that is decremented by one each time a packet passes a new node. This counter is made to ensure that the problem package (for example, in case of an error that caused a looped route) does not travel around the network indefinitely. That is, any packet having passed a certain number of nodes will eventually reach the destination host or be dropped by one of the network nodes when the time to live ends.

When the TTL counter becomes zero, the next gateway simply does not forward the packet further. But at the same time, the gateway to the IP address where the packet with the expired lifetime came from, sends the response TIME_EXCEEDED using the ICMP protocol. And this answer contains the IP address of the gateway where the packet ended its existence.

So, the essence of tracing is that one packet is sent with a TTL set to one — the first gateway decreases the value by one, looks that the counter has become zero, does not send this packet anywhere, but sends us the answer that ‘the packet has died’. We already know that the packet is dead – from this answer we are only interested in the IP address of the gateway where this misfortune happened to the packet. Then the packet with the TTL counter set to 2 is sent – the packet passes the first gateway (we already know its IP), but the misfortune (the counter reaches zero) happens to it at the second gateway – we get an ICMP response with that gateway’s IP. Then the next packet is sent, and so on, until all nodes to the remote host of interest are identified.

Trace route types

There are several types of tracing. Basically, they differ in the packet being sent – it can be a TCP or UDP transport protocol packet, or an ICMP Internet Control Message Protocol, or a raw IP packet.

Sometimes, due to firewalls or the configuration of network nodes, it is not possible to obtain the IP address of the node. In this case, you can try to use another method that can give results.

This can be illustrated in the following two examples of tracing to the same host:


Asterisks say that we did not get to know some of the nodes.

sudo traceroute -I

By changing the tracing method, it was possible to find out all intermediate nodes. Other methods may give different results.

Some programs allow you to select the tracing method, change the port number, and also set the values of some fields in the packet header.

Tracing software

There are many different utilities for tracing, some of which support various tracing methods. Examples of such programs:

  • traceroute
  • tracepath
  • mtr and mtr-gtk (console and graphic versions, respectively)
  • lft
  • tcptraceroute

You can also tracing routes using Nmap (in several ways) and even using ping!

In this article I will consider all the above programs. Let's start with the traceroute, because it implements the most scanning methods.


How to use traceroute

To start a trace, it is enough to specify the IP or the site to which you want to trace the route:

traceroute IP_or_domen-name

If you are interested in the nearest nodes (local network, for example), then you can choose any site as a destination.

Traceroute methods

In today's networked environments, traditional tracing methods are not always applicable due to the wide usage of firewalls. Such firewalls filter ‘unlikely’ UDP ports or even ICMP echo packets. To solve this problem, some additional network tracing methods (including tcp) are implemented. These methods attempt to use other protocols and source/destination ports to bypass firewalls (so that firewalls perceive them as just the beginning of a network session of an allowed type).

Different methods have options specific to them – they depend on the protocol used. These method options can be specified with the -O option. Multiple options are separated by commas (or use several -O on the command line). Each method may have its own particular options or may not have at all.


The default method is used unless otherwise specified, or you can specify it explicitly with the -M default option. This is a traditional, ancient route tracing method.

The probing packets are udp datagrams with the so-called ‘unlikely’ destination port. The first ‘unlikely’ probe port is 33434, then for each subsequent probe it is increased by one. Since it is expected that the port is not used, the destination host usually returns the final ‘icmp unreach port’ response. Port number can be changed (about it below).

This method can perform unprivileged users.


Now it is the most typical method, it uses icmp echo packets as probes. If you can ping the destination host, then icmp tracing is also applicable. To select this method, use the -M icmp option or its short -I option.

This method is allowed for unprivileged users.

This method has two specific options.


Use only raw sockets (the traditional way).

By default, this method is tried first (for compatibility reasons), then new dgram icmp sockets as a backup option.


Only use dgram icmp sockets


A well-known modern method, designed to bypass firewalls. To use, specify the -M tcp option or the short -T option. Uses a fixed destination port (default is 80, http).

If there are any filters on the network tracing path, it is highly likely that “unusual” udp ports are filtered (such as is used by the default method) or even icmp echo (as for icmp), and the entire trace process will stop at such a firewall. To bypass the network filter, we need to use only combinations of the allowed protocol/port pair. If we do a trace, say, to the mail server, then it is very likely that with the help of -T -p 25 we can reach it, even if with the help of -I it is impossible to do it.

This method uses the well-known ‘half-open connection technique’, thanks to which applications on the destination computer do not see our probes packages at all. Normally sent tcp syn. For ports that are not listened, we get the answer tcp reset – and everything is ready. For actively listening ports, we get tcp syn+ack, but tcp reset is answered (instead of the expected tcp ack), so the remote tcp session is reset, and the application listening on the port does not even receive a notification.

There are several options for the tcp method:


Sets certain tcp flags for a probe package, any combination of these can be used.


Sets the flag field in the tcp header to the exact NUMBER.


Sends a syn packet with tcp ECE and CWR flags (for Explicit Congestion Notification, rfc3168).


Uses the appropriate tcp header option in the outgoing probe packet.


Uses the current sysctl settings (/proc/sys/net/*) for the tcp header options for the above options and ecn. Always set to default if nothing is specified.


Use the value NUMBER for the tcp option of the maxseg header (when syn).


Print the tcp flags of the final tcp responses when the target host is reached. Helps determine if an application is listening on a port and other useful things.

The default options are syn,sysctl.


The initial implementation of the tcp method simply using a call to connect(2), which opens a full tcp session. Not recommended for normal use, as it always affects the application listening port on the destination host.

To enable this method, use the -M tcpconn option.


It uses udp datagrams with a fixed destination port (default is 53, dns). Also designed to bypass firewalls. To use this tracing method, specify the -M udp option or the abbreviated -U option.

Please note that unlike the tcp method, the corresponding application on the destination host always receives our probes (with random data) which can confuse it. In most cases, it will not respond to our packets, so we will never see the last hop (node) in the trace path. (Fortunately, it seems that at least the DNS servers are sending some kind of response).

This method does not require elevated rights.


Udplite uses datagrams for probes (with a fixed destination port, the default is 53). To activate this method, specify the -M udplite or -UL option.

This method does not require elevated rights.



Sets the coverage to send udplite to NUMBER.


Uses DCCP Request packets for probes (rfc4340). This method can be used with the -M dccp or -D options.

This method uses the same ‘half-open connection technique’ that is used for TCP. The default destination port is 33434.



Sets the DCCP service code to NUMBER (the default is 1885957735).


This method sends raw packets of the specified protocol. To call this method, use the -M raw or -P PROTOCOL option.

Transport-specific headers are not used, only IP protocol headers.

Implies -N 1 -w 5.



Use IP PROTOCOL (default 253).

A list of protocols encapsulated in IP on Wikipedia, in the original source.

How to speed up tracing. How to disable reverse IP to host name translation during tracing

Slightly above the principles of the trace are described – sending packets with an ever-increasing TTL. In fact, all packets (with TTL 1, with TTL 2, with TTL 3, etc.) can be sent simultaneously. And this is exactly what happens – by default, 16 packets are sent at a time (the number can be changed with the -N option). This is done to speed up tracing.

Therefore, in reality, tracing is very fast. Those 1-2 seconds, which we think are spent to discover the network nodes, are actually spent on obtaining host names for IP. This can be disabled with the -n option.

Using the time program, you can measure the program execution time with the -n option and without it:

time traceroute -n

time traceroute

The execution time of the trace itself is 0.206s, and the time trace + IP to hostname mapping turned out to be 2,360s, that is, 10 times longer.

IPv6 tracing

By default, the program obtains an IP for the host specified for tracing and, based on the obtained IP address, automatically determines which protocol is used: IPv4 or IPv6. If IPs are received for both protocols, then IPv4 is used by default.

Using the -4 and -6 options, you can explicitly specify the desired protocol.

For example:

traceroute -6 -n

The network from which tracing is done with the -6 option must support IPv6, otherwise it will not work.

How to change port for tracing

You can change the destination port using the option:

-p PORT, --port=PORT

For UDP tracing, the specified port will be used as the base port (the destination port number will increase for each probe).

For ICMP traces, the specified number will be used as the initial ICMP sequence value (also increased for each probe).

For TCP and other, the specified port will be used as the permanent destination port to which you want to connect.

This is usually not required, but you can also specify the source port, this is done with the option:


This option implies -N 1 -w 5. Normally, the source ports (if applicable to the selected tracing method) are selected by the system.

How to start tracing from a specific hop. How to reduce or increase the number of hops to trace

With the -f option, you can specify the node number from which to start tracing. The default value is 1.

With the -m option, you can specify the maximum number of hops for tracing, the default is 30.

Select interface for tracing

By default, packets are sent from the interface for which the default route is configured. But the following option can be made so that traceroute will send packets from the interface specified in the command line:


How to show which autonomous system the node belongs to when tracing

Each IP address is bound to an Autonomous System (AS). Using the -A option, you can enable the mapping of the AS number for each node along the trace path, for example:

sudo traceroute -A -n

Example output:

 1 [AS198949]  1.102 ms  1.708 ms  2.720 ms
 2 [*]  7.121 ms  7.168 ms  11.242 ms
 3 [*]  15.368 ms  15.812 ms  15.788 ms
 4 [*]  16.243 ms  16.213 ms  16.181 ms
 5 [AS38082/AS7470]  16.802 ms  16.776 ms  16.976 ms
 6 [AS38082/AS7470]  17.405 ms [AS38082/AS7470]  16.320 ms [AS38082/AS7470]  21.324 ms
 7 [AS38082/AS7470]  20.946 ms  20.521 ms  21.542 ms
 8 [AS38082/AS7470]  21.896 ms  22.789 ms  23.755 ms
 9 [AS38082/AS7470]  23.431 ms  23.036 ms  24.393 ms
10 [as4651]  26.448 ms [as4651]  25.531 ms [as4651]  26.770 ms
11 [AS4651/AS3549]  76.868 ms  77.298 ms  56.532 ms
12  * * *
13 [AS12389]  306.596 ms  306.452 ms [AS12389]  306.332 ms
14 [AS12389]  307.373 ms  307.322 ms  307.328 ms
15 [AS48666]  307.290 ms  307.268 ms  307.211 ms
16 [AS48666]  307.185 ms  307.181 ms  306.512 ms

As you can see, the autonomous system is not defined for local IP 10.*.*.* - which is quite logical, since these addresses are not assigned to anyone. As for the address and the autonomous unit AS198949, this is some kind of error.

As you can see from the output of the previous command, the first four nodes have local IP addresses. Nodes 5 through 9 belong to one AS38082/AS7470 autonomous system. The penultimate two nodes belong to the same AS12389 autonomous system and the last two nodes also belong to the same AS48666 autonomous system too — the Internet provider that hosts the website.

Traceroute options

The traceroute command has other options that may be useful to you. You can read them in the help page of this program:

man traceroute


The tracepath program is similar to traceroute, but uses only one trace technique: UDP, for which you can specify a port. Due to the chosen technique, the program does not require elevated privileges.

Launch example:


Example output:

 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              1.247ms 
 1:  _gateway                                              1.031ms 
 2:                                            9.097ms 
 3:                                       14.034ms 
 4:                                       14.379ms 
 5:                                        11.530ms asymm  4 
 6:                   13.849ms asymm  5 
 7:                 15.737ms asymm  6 
 8:                   64.185ms asymm  7 
 9:                 14.962ms asymm  8 
10:                 13.509ms asymm  9 
11:                                       18.793ms 
12:                                           58.829ms 
13:  no reply
14:                                       399.972ms asymm 23 
15:                                       263.969ms asymm 14 
16:                           307.140ms 
17:                                            304.644ms reached
     Resume: pmtu 1500 hops 17 back 17

In the first column, next to the node number, there may be a question mark – it means that the TTL number is missing from the reply and the program tries to guess it.

Instead of asterisks, if the IP is not recognized, it is written ‘no reply’.

The last column can be a number and the word asymm. The word asymm means that the route is asymmetric – that is, from us to this node, the package goes along one path, and from this node to us the packet passes along another path. Digits mean the possible number of hopes from this node to us – but the information is not reliable.

Tracepath doesn't have many options:


Use IPv4 only


Use IPv6 only


Do not print the host name, but print the numeric IP value.


Print both the host name and IP address numerically.


Set the initial packet length instead of 65535 for tracepath or 128000 for tracepath6.


Set the maximum number of hops (or maximum TTL) – that is, the number of “knockout” nodes. The default is 30.


Set the initial destination port.

mtr and mtr-gtk (console and graphic version)

The mtr program combines the functionality of the traceroute and ping programs in a single network diagnostic tool. That is, this program shows the route to the specified node and continuously pings every hop and at the same time collects general loss statistics — based on this data, you can determine the problem node where packets are lost.

Luanch example:


Example output:

This program supports several tracing methods.

It also supports various output formats for saving results, for example, the -C, --csv option for saving results in CSV format (note that the semicolon rather than a comma is used as a separator), as well as the -j, --json option to save as JSON output format.

With the -n, --no-dns option, you can disable IP to host name conversion.

With the -b, --show-ips option you can enable the display of both host names and IP addresses.

The option -y n, --ipinfo n allows you to configure the output of additional information about each IP hop. As n you need to specify the number, which means:

	0 Show autonomous system number (AS) (equivalent to -z)
	1 Show IP Prefix
	2 Show AS-based country code
	3 Show RIR (ripencc, arin, ...)
	4 Show IP prefix allocation date

For all values of -y, I only see the autonomous system number. Fortunately, between different views, you can switch in a circle using the y button:

The -z, --aslookup option displays the Autonomous System (AS) number for each hop.

The -f NUM option is used to set the first TTL number. The default is 1.

The -m option specifies the maximum number of hops (the maximum time-to-live value) that will be processed during tracing. The default is 30.

The -U NUMBER option sets a maximum of unfamiliar hosts. The default is 5. Apparently, after reaching this value, further tracing will be stopped.

With the -u, --udp option, the program will use UDP datagrams instead of ICMP ECHO.

And with the -T, --tcp option you can set to use TCP SYN packets instead of ICMP ECHO. PACKETSIZE is ignored because SYN packets cannot contain data.

In mtr, you can even use the SCTP protocol for tracing. To do this, specify the -S, --sctp option and the Stream Control Transmission Protocol packages will be used instead of ICMP ECHO.


	-P PORT, --port PORT
		The target port number for TCP/SCTP/UDP traces.

	-L LOCAL_PORT, --localport LOCAL_PORT
		Source port number for UDP traces.

During the program, interactive commands are available. If you click on d, you can switch between different views:

The r button can reset statistics.

With the o button you can change the order of the fields. By the way, with the -o option you can set which fields you want to display and their order. See details by:

man mtr


The lft program has many trace options and it follows from the description that the program tries several combinations and automatically selects the best solution. Honestly, I did not notice this: the results with manual enumeration of different tracing methods allow you to choose the best option.

The program is well documented and, if desired, can be used as an alternative to traceroute.


The tcptraceroute program uses packets of only one TCP protocol. You can set different flags in the headers of these packages with options. In the traceroute program, you can also set TCP protocol flags, with more options to configure.

Tracerouting in Nmap

In Nmap for tracing there is an option --traceroute, an example of tracing to the site:

sudo nmap --traceroute

If you do not want to scan ports, but simply want to perform a trace, then add the -sn option:

sudo nmap --traceroute -sn

By the way, this significantly reduces the time to output the results.

It happens that the data displayed during the tracing program nmap are not complete. In this case, try additionally adding the -PE option:

sudo nmap --traceroute -sn -PE

In Nmap, you can set options in the IP protocol packet header. Among these options there is one that saves the route passed in the packet header. But this option has a number of limitations:

  • only 9 slots
  • some devices ignore this option
  • some devices do not pass packets with this option set

However, sometimes it works, an example of the command:

sudo nmap -sn --ip-options "R" -n --packet-trace

Example output:

Binary ip options to be send:
\x01\x07\x27\x04\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00
Parsed ip options to be send:
 NOP RR{#}
Starting Nmap 7.70 ( ) at 2019-07-12 18:02 MSK
SENT (0.8154s) ICMP [ > Echo request (type=8/code=0) id=64674 seq=0] IP [ttl=42 id=53218 iplen=68 ipopts={ NOP RR{#}}]
SENT (0.8154s) TCP > S ttl=43 id=9871 iplen=84 ipopts={ NOP RR{#}} seq=1013479372 win=1024 <mss 1460>
SENT (0.8154s) TCP > A ttl=41 id=45814 iplen=80 ipopts={ NOP RR{#}} seq=0 win=1024 
SENT (0.8155s) ICMP [ > Timestamp request (type=13/code=0) id=32210 seq=0 orig=0 recv=0 trans=0] IP [ttl=55 id=35087 iplen=80 ipopts={ NOP RR{#}}]
RCVD (1.1526s) ICMP [ > Echo reply (type=0/code=0) id=64674 seq=0] IP [ttl=48 id=44985 iplen=68 ipopts={ RR{} EOL}]
Nmap scan report for (
Host is up (0.34s latency).
Other addresses for (not scanned): 2a02:f680:1:1100::3d5f
Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds

Pay attention to the line:

RCVD (1.1526s) ICMP [ > Echo reply (type=0/code=0) id=64674 seq=0] IP [ttl=48 id=44985 iplen=68 ipopts={ RR{} EOL}]

It lists the first 9 nodes through which the packet passed.

Ping tracing

The ping program can also record a route — to do this, you need to start the program with the -R option. It adds the RECORD_ROUTE option to the ECHO_REQUEST packet and displays the route buffer of the returned packets. This is the same option that Nmap uses. The limitations are the same: a maximum of 9 slots, many hosts ignore or discard this option.

Launch example:

ping -R

Example output:

IPs are displayed at each ping. If the route does not change, then an inscription is displayed that the route has not changed (same route).

Despite all the limitations of the RECORD_ROUTE option, sometimes it is the only option to get at least some information about the route, since the ping command is almost always present and does not require root privileges to run.

Windows tracerouting

On Windows, tracert is built in to trace a network. She has almost no options. To run the command, it is enough to specify the name of the remote host:


If this functionality is not enough for you, then you can install Nmap in Windows.


Tracing can be useful for discovering the network structure (for example, your ISP's network), as well as for correcting problems with data transmission (for example, to determine the node, beyond which the packets do not pass).

The richest in functionality for network tracing is the traceroute program. Other programs also contain interesting options or can be used as alternatives if nothing else is available or if another programs require superuser privileges.

Recommended for you:

Leave a Reply

Your email address will not be published.