traceroute for ip networks- Checking path for ip networks

As we studied about ping in our last article, ping can only tell us if connectivity is ok or broken. It can not tell us path taken by packets in ip networks (knowing which path to check is helpful in dynamic routing network). For full path information we use traceroute utility.

Traceroute can be used with ICMP, UDP and TCP, depending on your operating system. Windows OS generally uses ICMP while Linux OS / Cisco uses UDP for traceroute. Some traceroute implementations use TCP packets, such as tcptraceroute and layer four traceroute (lft). 

Windows :- Windows OS uses “tracert” command. It sends an ICMP ECHO request (Type 8) and waits for ECHO Reply (Type 11 – TTL exceeded).

 Traceroute sends three probes for each hop in the path. But why do we do this, answer to this question is that we try to get a good average of the round trip time for each hop. Traceroute sends, by default, a sequence of User Datagram Protocol (UDP) packets, with destination port numbers ranging from 33434 to 33534. Let’s see it in action :-

Lab setup :-

So let’s try traceroute in this simple network :-

Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
1 15 msec 9 msec 6 msec
2 11 msec 7 msec 8 msec

As we see in above capture, we see three RTT (in msec). So for two hops, traceroute sent total six probes. Let’s dig deep and analyze the packet capture
Packet Capture between R1 and R2 :-

As we see in above capture, there are 6 probes.  Some things to note down from above capture :-
1. Total six probes, Three are getting reply from R2 ( and rest three are getting reply from R3 (
2. Each probe is sent as UDP packet and each reply is ICMP (TTL exceeded or Destination unreachable)
3. Port number for first probe is 34434 and increment by one for each probe (first three probes are for R3 and rest three probes are for R3)
4. However, there is a difference in reply from R2 (TTL exceeded) and R3 (Destination unreachable).

1st TRACEROUTE Packet and its reply –
We got ICMP reply because TTL was set to 1 and this packet can not cross Router 2 due to TTL decremented to 0. Now 2nd and 3rd packets are same (remember three probes per hop) with TTL = 1 but ports number incremented by 1 with each packet.

Now let’s see 4th Packet and its reply