Traceroute Explained: How to Trace Network Paths Like a Pro

When a website loads slowly or a connection drops intermittently, ping can tell you there is a problem, but it cannot tell you where the problem is. That is where traceroute comes in. Traceroute maps the entire path your data takes from your computer to its destination, showing every router hop along the way and how long each one takes.

In this guide, you will learn how traceroute works at the protocol level, how to read its output, and how to use it effectively to diagnose real network issues.

What Is Traceroute?

Traceroute (called tracert on Windows) is a network diagnostic tool that displays the route packets take to reach a destination. It identifies every intermediate router (called a "hop") between your computer and the target, along with the latency at each hop.

The tool was originally written by Van Jacobson in 1987 and has been an essential part of network troubleshooting ever since. You can use our Traceroute tool for browser-based path tracing, or run it from your terminal.

How Traceroute Works: The TTL Trick

Traceroute exploits a clever mechanism built into the Internet Protocol: the Time to Live (TTL) field. Here is how it works step by step:

The TTL Field

Every IP packet has a TTL field in its header. Despite the name, TTL is not actually a time value. It is a hop counter. Each router that forwards the packet decrements the TTL by 1. When the TTL reaches 0, the router discards the packet and sends back an ICMP "Time Exceeded" message to the sender.

TTL exists to prevent packets from looping forever in case of a routing misconfiguration. Traceroute repurposes this mechanism for diagnostic purposes.

The Traceroute Process

First probe: Traceroute sends a packet with TTL=1. The first router decrements it to 0, discards the packet, and sends back an ICMP Time Exceeded message. Traceroute now knows the IP address and latency of the first hop.

Second probe: Traceroute sends a packet with TTL=2. It passes through the first router (TTL decremented to 1), reaches the second router (TTL decremented to 0), and the second router sends back a Time Exceeded message.

This continues with incrementing TTL values until the packet reaches the final destination. The destination host does not send a Time Exceeded message. Instead, it sends an ICMP Echo Reply (if the probe was ICMP) or an ICMP Port Unreachable (if the probe was UDP targeting a high, unlikely-to-be-open port).

At each TTL level, traceroute typically sends three probes to measure variability in latency.

Protocol Variations

Different operating systems use different probe protocols by default:

Unix/Linux/macOS: Sends UDP packets to high-numbered ports (33434 and up). The destination responds with ICMP Port Unreachable.
Windows (tracert): Sends ICMP Echo Request packets. The destination responds with ICMP Echo Reply.
TCP traceroute (tcptraceroute): Sends TCP SYN packets, typically to port 80 or 443. This is useful because many firewalls allow TCP traffic to web ports while blocking ICMP and UDP.

Reading Traceroute Output

Here is a typical traceroute output:

traceroute to google.com (142.250.80.46), 30 hops max, 60 byte packets
 1  router.local (192.168.1.1)  1.234 ms  0.987 ms  1.102 ms
 2  10.0.0.1 (10.0.0.1)  8.456 ms  9.123 ms  8.789 ms
 3  isp-core-router.example.net (203.0.113.5)  12.345 ms  11.678 ms  12.901 ms
 4  * * *
 5  72.14.204.68 (72.14.204.68)  15.234 ms  14.567 ms  15.890 ms
 6  142.251.247.91 (142.251.247.91)  14.123 ms  13.456 ms  14.789 ms
 7  142.250.80.46 (142.250.80.46)  14.012 ms  13.345 ms  13.678 ms

Each Line Explained

Hop number: The sequential hop count starting from 1.
Hostname and IP: The router's hostname (if reverse DNS resolves) and its IP address.
Three latency values: The round-trip time for each of the three probes sent at that TTL level.

The Asterisks (* * *)

Asterisks on hop 4 mean that router did not respond to the probes within the timeout period. This is extremely common and usually not a problem. Many routers are configured to deprioritize or silently drop ICMP messages to reduce load. As long as subsequent hops respond normally, asterisks at intermediate hops are nothing to worry about.

How to Identify Network Problems

The Latency Jump Pattern

The most reliable way to find a bottleneck is to look for a significant, sustained increase in latency:

 3  isp-router.example.com    12 ms   11 ms   12 ms
 4  peering-point.example.com  85 ms   92 ms   88 ms
 5  destination-isp.example.com  87 ms   84 ms   89 ms

Notice the jump from approximately 12ms to approximately 85ms between hops 3 and 4. Since hops 5, 6, and beyond all maintain that higher latency, the bottleneck is at hop 4. Traffic is crossing a congested peering point or a long-distance link.

Important distinction: If only one hop shows high latency but subsequent hops return to normal, the "slow" hop is likely just deprioritizing ICMP responses, and there is no real performance issue:

 3  isp-router.example.com    12 ms   11 ms   12 ms
 4  busy-router.example.com  150 ms  145 ms  148 ms
 5  next-hop.example.com      13 ms   12 ms   14 ms

Hop 4 looks terrible, but hop 5 is fine. The router at hop 4 is just slow at generating ICMP responses because it is prioritizing actual traffic forwarding. This is normal and not a concern.

Packet Loss at a Specific Hop

If you see consistent asterisks starting at a certain hop and continuing to the end:

 3  isp-router.example.com    12 ms   11 ms   12 ms
 4  * * *
 5  * * *
 6  * * *

This usually means either a firewall is blocking traffic at hop 4, or there is a genuine routing failure at that point. Combine this with a Ping Tool test to the final destination to determine if traffic is actually getting through.

Routing Loops

Occasionally you will see the same router appear multiple times:

 4  router-a.example.com  15 ms  14 ms  16 ms
 5  router-b.example.com  18 ms  17 ms  19 ms
 6  router-a.example.com  22 ms  21 ms  23 ms
 7  router-b.example.com  25 ms  24 ms  26 ms

This is a routing loop. Packets are bouncing between two routers. This is a serious issue that usually requires the ISP or network administrator to fix. Contact your ISP with the traceroute output as evidence.

Advanced Traceroute Techniques

Paris Traceroute

Traditional traceroute can show misleading paths because modern routers use Equal-Cost Multi-Path (ECMP) routing, which distributes packets across multiple links based on a hash of the packet headers. Since each probe has a different source port, different probes at the same TTL level may follow different paths.

Paris traceroute solves this by keeping the flow identifier constant across all probes, ensuring you see a single, consistent path rather than a mashup of multiple paths.

MTR (My Traceroute)

MTR combines the functionality of ping and traceroute into a single tool. It continuously sends probes and updates statistics in real-time, showing:

Average latency at each hop
Packet loss percentage at each hop
Best and worst latency at each hop
Standard deviation of latency

MTR is incredibly useful for diagnosing intermittent problems because it collects data over time rather than taking a single snapshot. Run it for at least 100 packets for statistically meaningful results.

TCP Traceroute

When standard traceroute fails because firewalls block ICMP and UDP, TCP traceroute sends SYN packets to a specific TCP port:

sudo tcptraceroute google.com 443

This is more likely to succeed through corporate firewalls and NAT devices because the packets look like normal web connection attempts.

Traceroute on Different Operating Systems

Linux and macOS

traceroute google.com           # UDP probes (default)
traceroute -I google.com        # ICMP probes
traceroute -T -p 443 google.com # TCP probes to port 443
traceroute -q 1 google.com      # One probe per hop (faster)
traceroute -w 2 google.com      # 2-second timeout per probe

Windows

tracert google.com              # ICMP probes (default and only option)
tracert -d google.com           # Skip DNS resolution (faster)
tracert -h 20 google.com       # Maximum 20 hops

Browser-Based

If you do not have terminal access or want to trace from a different geographic location, use our Traceroute tool. It runs the trace from our servers and displays results in an easy-to-read format.

When to Use Traceroute vs Other Tools

Symptom	Best Tool
"Is the server up?"	Ping Tool
"Where is the slowdown?"	Traceroute
"How fast is my connection?"	Speed Test
"Is a specific service running?"	Port Scanner
"What is the server's IP?"	WHOIS Lookup

Traceroute is most valuable when combined with other tools. Run a ping first to confirm there is a latency problem, use traceroute to identify which hop is causing it, and then use the information to contact the right ISP or network administrator.

Key Takeaways

Traceroute works by sending packets with incrementing TTL values to map each hop on the network path
Look for sustained latency increases across multiple hops to find real bottlenecks
Asterisks at intermediate hops are usually harmless and just mean the router does not respond to ICMP
Use MTR for continuous monitoring of intermittent issues
TCP traceroute can penetrate firewalls that block standard ICMP/UDP probes
Use our Traceroute tool for quick, browser-based path analysis

Related Articles:

WhatIsMyLocation Team

Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.

About our team·Our tools·Contact us

How-To Guides

WiFi Router Security Checklist: 10 Settings to Change Right Now

11 min read

How-To Guides

What Is My IPv6 Address? Complete Guide

11 min read

How-To Guides

How to Change Your IP Address (5 Easy Methods)

10 min read

Try Our Location Tools

Find your IP address, GPS coordinates, and more with our free tools.

What Is My Location My IP Address GPS Coordinates