What Is Traceroute?
Traceroute (tracert on Windows) is a network diagnostic tool that maps the path packets take from your device to a destination, revealing each router hop along the way along with the latency to each hop. It is invaluable for diagnosing where in a network path a delay, packet loss, or routing problem is occurring.
How Traceroute Works - TTL Decrement
Traceroute exploits the IP Time-To-Live (TTL) field. Every IP packet has a TTL counter (typically starting at 64 or 128). Each router that forwards the packet decrements the TTL by 1. When TTL reaches 0, the router discards the packet and sends back an ICMP Time Exceeded message - Which reveals that router's IP address and the RTT to reach it. Traceroute sends packets with TTL=1, 2, 3 … n until the destination is reached, building a complete picture of the route.
Traceroute Commands by OS
| Operating System | Command | Protocol Used |
|---|---|---|
| Windows | tracert example.com | ICMP Echo Request |
| macOS | traceroute example.com | UDP (default) or ICMP with -I flag |
| Linux | traceroute example.com | UDP (default); TCP with -T flag; ICMP with -I flag |
| Linux (preferred) | mtr example.com | Continuous traceroute with live packet loss stats |
Interpreting Traceroute Output
| Output | What It Means |
|---|---|
| Low RTT at early hops, spike at later hops | Congestion or a distant route change at or after the spike hop |
| * * * (no response) | Router is configured to not respond to ICMP - Does not mean packet loss; many routers deprioritise ICMP responses |
| RTT increases uniformly with each hop | Normal propagation delay - Network is healthy |
| Same high RTT from one hop onward | Bottleneck or congestion is at or just before that hop |
Traceroute vs Ping
- Ping tests end-to-end round-trip time to a single destination - Useful for confirming reachability and measuring overall RTT.
- Traceroute identifies every hop on the path and the RTT to each - Useful for locating where in the path a problem is occurring.
- mtr (Matt's Traceroute) combines both tools, continuously sending probes and showing live packet loss and latency per hop - The most useful single-command network diagnostic.
- Traceroute hop IPs can be looked up in WHOIS to identify the ASN (network operator) responsible for each segment of the path.
Useful Flags and Variants
| Goal | Command | Notes |
|---|---|---|
| Skip slow name resolution | tracert -d example.com / traceroute -n example.com | Shows raw IPs only - Much faster output |
| Limit the hop count | tracert -h 15 example.com / traceroute -m 15 example.com | Default maximum is 30 hops |
| Force ICMP probes on macOS/Linux | traceroute -I example.com | Often gets replies where default UDP probes are filtered |
| Probe like real traffic (Linux) | traceroute -T -p 443 example.com | TCP SYN to port 443 traverses firewalls that drop UDP/ICMP |
| Live combined view (mtr) | mtr example.com | Continuously updating loss and latency per hop |
A Worked Diagnosis, Hop by Hop
Reading a realistic trace
Hop 1 is your router (1-3ms wired; tens of ms here mean a Wi-Fi problem, not an internet one). Hops 2-4 are your ISP's local and regional network - This is where evening congestion shows up. The middle hops are transit and exchange points, where a sudden +80ms usually just means the route crossed an ocean. The final hops belong to the destination's network or CDN. Whoever owns the hop where trouble starts owns the problem - Identify them by running the hop's IP through the IP lookup or an ASN lookup.
The two classic false alarms
First: a single hop showing high RTT or stars while every later hop is fast. That router is merely deprioritising its own ICMP replies - Traffic passing through it is fine. Only a slowdown that begins at one hop and persists to the destination is real. Second: latency that decreases at a later hop, which simply means the probes took a slightly different return path; routes are not always symmetric.
What This Means for You
Traceroute turns "the internet is slow" into a named culprit. Problem at hop 1: fix your own Wi-Fi or cabling. Problem starting at hops 2-4 and persisting: that is your ISP - A trace at a good hour versus a bad hour makes a persuasive support ticket. Problem only in the destination's final hops: nothing on your side will help. Combine it with ping for a quick end-to-end check and the speed test for throughput, and you can locate most home connectivity problems in under five minutes without calling anyone.
Frequently Asked Questions
Why does my traceroute show * * * on some hops?
Stars mean that router did not answer the probe within the timeout - Almost always because it is configured to ignore or rate-limit ICMP, not because traffic is being lost. If later hops respond normally, the path is healthy and the silent hop is cosmetic.
Is running traceroute legal and safe?
Yes - It sends a handful of ordinary, low-rate packets and is a standard diagnostic that network operators expect. It neither probes services nor accesses systems; it only asks routers along an existing path to identify themselves.
Why are traceroute results different each time I run it?
Internet routing is dynamic: load balancing spreads packets across parallel paths, and routes change as conditions shift, so consecutive traces can show different middle hops. For stable conclusions, use mtr or repeat traces over time and look at patterns rather than a single run.