Ady Wicaksono Daily Activities

Traceroute – how it works?

leave a comment »

I was a network and system administrator, one of tools I used is traceroute or tracert (in Windows). See this example traceroute from my desktop:

Tracing route to []
over a maximum of 30 hops:
1     2 ms     1 ms     2 ms
2     9 ms    15 ms    12 ms
3    13 ms    11 ms    12 ms
4    12 ms    11 ms     8 ms
5    16 ms    12 ms    13 ms
6    12 ms    14 ms    13 ms
7    20 ms    16 ms    24 ms
8   232 ms   237 ms   230 ms []
9   233 ms   232 ms   230 ms []
10   237 ms   229 ms   232 ms []
11   316 ms   230 ms   426 ms []
12   386 ms   402 ms   400 ms
13   283 ms   294 ms   287 ms []
14   292 ms   295 ms   289 ms []
15   288 ms   291 ms   293 ms []
16   285 ms   286 ms   286 ms []

Traceroute use TTL (time-to-live) feature of IP (Internet Protocol). TTL is an upper bound of the time that IP datagram packet can exist in an internet system. TTL field will be decrease by one value by every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (11 – Time Exceeded) is sent back to the sender.

So for previous example, traceroute application will firstly set TTL to 1 to access, but because when pass the value will reduced by one, become zero than, host will send ICMP error datagram. The traceroute application will then know that next hop is Again it’s now set TTL to 2, but after TTL value become 0 but the IP is still not reach it’s final destination so will send ICMP error datagram. Again and again traceroute application will increase TTL value and collect ICMP error datagram from each hop until the TTL value is big enough to reach final destination. The result is shown as traceroute log above.

Another issue, this traceroute application on UNIX platform need to access ICMP protocol which is only accessible by root (or any user with uid = 0). So, application traceroute mostly will run with setuid root active and can become a security hole. Don’t worry, normally current traceroute application is secure enough event with setuid flag root active.

For more information about ICMP please refer to RFC 792

Written by adywicaksono

October 5, 2007 at 4:10 pm

Posted in networking

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: