Home
My IP
GPS
Find Me
Your Location
4️⃣IPv4:
📍...
6️⃣IPv6:
🌍...
🏢...
📌...
How-To Guides9 min read

Traceroute Explained: Read Every Hop Like a Network Pro

Traceroute maps your packet's journey router by router. Learn to read real output hop by hop, understand TTL mechanics, and stop misreading * * * as failure.

By WhatIsMyLocation Team·Updated July 1, 2026
Traceroute Explained: Read Every Hop Like a Network Pro

Summarise this article with:

TL;DR
Traceroute sends packets with incrementing TTL values so each router along a path reveals itself. You read the output left to right: hop number, router identity, three round-trip times. Asterisks at a single hop almost never mean a problem. A real issue shows up as a latency jump that persists through all later hops, or as asterisks that continue all the way to the destination.

Traceroute tells you exactly where on the internet your packets go, one router at a time. It is the difference between knowing a connection is slow and knowing which router is causing it. You can run it from your terminal or use our browser-based Traceroute tool right now.

Run a traceroute from the browser and follow each hop
Run a traceroute from the browser and follow each hop

A Real Traceroute, Read Hop by Hop

Start with the output. Theory comes after.

traceroute to google.com (142.250.80.46), 30 hops max, 60 byte packets
 1  router.local (192.168.1.1)        1.2 ms    0.9 ms    1.1 ms
 2  10.0.0.1 (10.0.0.1)              8.4 ms    9.1 ms    8.7 ms
 3  isp-core.example.net (203.0.113.5) 12.3 ms  11.6 ms  12.9 ms
 4  * * *
 5  72.14.204.68 (72.14.204.68)      15.2 ms  14.5 ms  15.8 ms
 6  142.251.247.91 (142.251.247.91)  14.1 ms  13.4 ms  14.7 ms
 7  142.250.80.46 (142.250.80.46)    14.0 ms  13.3 ms  13.6 ms

Hop 1 is always your router. The 192.168.1.1 address is a private IP, almost always your home gateway. The three numbers (1.2 ms, 0.9 ms, 1.1 ms) are the round-trip times for three separate probes. Single-digit milliseconds here is healthy.

Hops 2 and 3 are inside your ISP. The 10.0.0.1 at hop 2 is still in private space, likely your ISP's aggregation device. Hop 3 has a public IP and a hostname that hints at an ISP core router. Latency has climbed to about 12 ms, which is normal for the regional ISP network.

*Hop 4 is .** Three asterisks mean the probes timed out. This is not a failure. That router forwarded your traffic just fine but chose not to send an ICMP reply back. Many routers are configured this way deliberately, to reduce CPU overhead and to prevent their management interfaces from being exposed. The proof that nothing is broken: hops 5, 6, and 7 all respond normally.

Hops 5 and 6 are Google's network edge. The IPs fall in Google's autonomous system. Latency has settled around 14-15 ms and stays there.

Hop 7 is the destination. Traffic arrived. Total round-trip from your machine to Google is about 14 ms in this trace.

How TTL Makes This Possible

Every IP packet carries a Time to Live (TTL) field. Despite the name, it is a hop counter, not a clock. Each router that forwards a packet subtracts 1 from the TTL. When TTL hits zero, the router discards the packet and sends an ICMP "Time Exceeded" message back to the sender. That ICMP reply reveals the router's IP address and the round-trip time to reach it.

TTL exists to stop packets from circling a broken network forever. Traceroute repurposes it as a ranging mechanism:

  1. Send a packet with TTL=1. The first router hits zero, discards it, sends back a Time Exceeded. You have hop 1.
  2. Send a packet with TTL=2. The first router decrements to 1 and forwards it. The second router hits zero and reports back. You have hop 2.
  3. Repeat until the packet reaches its destination. The destination does not send a Time Exceeded. It sends an ICMP Echo Reply (if the probe was ICMP) or an ICMP Port Unreachable (if the probe was UDP). Either way, traceroute knows it arrived.

At each TTL level, traceroute sends three probes. That is why you see three latency values per line.

What Protocol Is Being Sent

Different operating systems use different probe protocols by default:

  • Linux and macOS: UDP packets to high-numbered ports, starting at port 33434 by convention. The destination sends back ICMP Port Unreachable when these arrive on a port nothing is listening on.
  • Windows (tracert): ICMP Echo Request packets. The destination sends back ICMP Echo Reply.
  • TCP traceroute (tcptraceroute): TCP SYN packets, typically to port 80 or 443. Useful when firewalls block ICMP and UDP but pass web traffic.

Finding the Real Problem in Output

Latency That Sticks

A real bottleneck shows up as a jump in latency that remains elevated for every hop after it. Look at this example:

 3  isp-router.example.com     12 ms   11 ms   12 ms
 4  peering-point.example.com  85 ms   92 ms   88 ms
 5  next-hop.example.com       87 ms   84 ms   89 ms
 6  dest.example.com           88 ms   85 ms   90 ms

Latency jumps from 12 ms to 85 ms between hops 3 and 4, then stays elevated. The trouble is at the link between hop 3 and hop 4: congested peering point, a long-distance undersea cable, or a saturated transit link.

Latency That Does Not Stick

In my testing, the single-hop spike is one of the most commonly misread patterns in traceroute:

 3  isp-router.example.com     12 ms   11 ms   12 ms
 4  busy-router.example.com   150 ms  145 ms  148 ms
 5  next-hop.example.com       13 ms   12 ms   14 ms

Hop 4 looks alarming. Hop 5 is completely fine. That means hop 4 is just slow at generating ICMP responses, likely because it rate-limits them to protect its CPU while still forwarding actual traffic at wire speed. Your connection is fine.

The `* * *` Myth

Asterisks at a middle hop without a destination failure mean almost nothing. Many production routers at ISPs and cloud providers suppress ICMP Time Exceeded messages entirely, either by firewall policy or by rate limiting that kicks in under load. If you see * at hop 4 but hop 5 responds and you eventually reach the destination, the path is intact.

The situation that does matter: asterisks that start at a hop and continue all the way to the end, with no destination response. That pattern indicates a firewall blocking traffic at that hop, a genuine routing failure, or a host that is simply down. Pair it with a Ping to the destination to confirm whether traffic is getting through at all.

Routing Loops

Occasionally you will see the same router repeat:

 4  router-a.example.com  15 ms  14 ms  16 ms
 5  router-b.example.com  18 ms  17 ms  19 ms
 6  router-a.example.com  22 ms  21 ms  23 ms
 7  router-b.example.com  25 ms  24 ms  26 ms

Packets are bouncing between two routers. This is a genuine misconfiguration. Save the traceroute output and send it to your ISP or network administrator.

Commands for Each Platform

Linux and macOS

traceroute google.com              # UDP probes, default
traceroute -I google.com           # ICMP probes instead
traceroute -T -p 443 google.com    # TCP to port 443 (through firewalls)
traceroute -q 1 google.com         # one probe per hop, faster
traceroute -w 2 google.com         # 2-second timeout per probe

Windows

tracert google.com                 # ICMP probes, default
tracert -d google.com              # skip DNS resolution, faster output
tracert -h 20 google.com           # cap at 20 hops

Browser-Based

Use our Traceroute tool if you want to run a trace without opening a terminal, or to test the path from a server rather than your own machine.

Advanced Tools

MTR (My Traceroute)

MTR combines traceroute and ping into a live, updating display. While a standard traceroute takes a single snapshot, MTR continuously probes every hop and shows running statistics: average latency, packet loss percentage, best and worst recorded times, and standard deviation. Run it for at least 100 packets to catch intermittent problems that a one-shot trace would miss completely.

MTR is available on Linux and macOS via your package manager (brew install mtr, apt install mtr). Windows users can use WinMTR, a graphical port.

Paris Traceroute

Modern routers use Equal-Cost Multi-Path (ECMP) routing, which distributes traffic across several parallel links by hashing packet headers. Because standard traceroute changes the source port with each probe, different probes at the same TTL level may follow different physical paths, giving you a misleading patchwork of routes rather than a single real path.

Paris traceroute keeps the flow identifier constant across all probes, so every packet follows the same path. The result is an accurate map of one actual route through an ECMP network.

When to Use Which Tool

ProblemTool
"Is the server reachable at all?"Ping
"Which hop is slow or dropping?"Traceroute
"How fast is my connection?"Speed Test
"Is a service actually running?"Port Scanner
"Who operates the ASN at this hop?"ASN Lookup

Frequently Asked Questions

Why does my traceroute show * * * for every hop after a certain point?

This usually means a firewall is blocking ICMP or UDP traffic at that hop and all traffic beyond it. Run a Ping to the destination to check whether traffic is actually getting through at the application layer. If ping also times out, the destination is either unreachable or filtering all probes. If ping succeeds but traceroute stalls, try TCP traceroute (traceroute -T -p 443) to bypass the filtering.

Does a high latency number at one hop mean my network is broken?

Not if later hops return to normal. A single high-latency hop followed by lower latency is almost always a router that rate-limits its own ICMP replies while still forwarding traffic at full speed. Only a latency jump that persists across all subsequent hops points to a real bottleneck.

What is the difference between traceroute and tracert?

They are the same concept on different operating systems. traceroute is the Unix command (Linux, macOS). tracert is the Windows command. The main functional difference is the default protocol: Unix traceroute sends UDP packets by default, while Windows tracert sends ICMP Echo Requests.

A typical path to a major CDN or cloud provider involves 8 to 20 hops. Paths that stay within the same country and ISP tend to be shorter. Paths crossing multiple continents or ISP boundaries can run longer. The hop count itself is less important than the latency at the destination.

Why do some hops show different IP addresses for the same hop number?

You may see multiple IPs at a single hop number when ECMP routing sends your three probes down different paths. Each path passes through a different router, each of which reports back. The result is that hop 5, for example, shows three different IP addresses. Paris traceroute fixes this by keeping all probes on the same path.

Can traceroute reveal the physical location of each router?

Roughly, yes. The hostname (when reverse DNS resolves) often contains airport codes or city abbreviations that hint at geography. You can also look up the IP of any hop with an IP Lookup or ASN Lookup to see which organization operates it and what region they list. IP geolocation for backbone routers is imprecise, but it usually identifies the right city or region. See IP geolocation accuracy for the caveats.

Sources

W

WhatIsMyLocation Team

Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.

Related Articles

Try Our Location Tools

Find your IP address, GPS coordinates, and more with our free tools.