What Is Traceroute?
Traceroute is a tool that shows you every stop your data makes on its way to a website or server. Think of it like a map of your internet connection. Each stop is called a hop. This beginner’s guide to traceroute beginner guide will teach you to read those maps.
Traceroute exists because the internet is not one big cable. It is a web of many networks connected together. When you visit a site, your data passes through many routers. Traceroute makes those hidden stops visible.
For more about what happens when you test a connection, see our guide on pinging unused IP addresses.
Traceroute vs Ping – What’s the Difference?
| Tool | What It Does | What You See |
|---|---|---|
| Ping | Tests if a destination is reachable | Success/failure, time, packet loss |
| Traceroute | Maps the whole path to a destination | List of routers, time for each hop |
Ping answers “can I get there?” Traceroute answers “what is the path, and where are the delays?”
What Is a Network Hop?
A network hop is one router that your data passes through. Each hop adds a small delay. Imagine mailing a letter that goes through several post offices. Each post office is a hop. The more hops, the longer the delivery.
A typical trip from New York to London might have 15‑20 hops.
How Packets Move Across the Internet
Your computer breaks data into small pieces called packets. Each packet has:
- Your IP address (who sent it)
- The destination IP (where it’s going)
- A TTL number (explained later)
- The actual data
These packets travel separately. They may even take slightly different paths. Traceroute shows one possible path.
Routers and Gateways – A Simple Explanation
A router is a device that connects different networks. It looks at a packet’s destination IP and decides where to send it next. Your home gateway (the box your ISP gave you) is your first router.
Think of a router as a mail sorting center. It reads the address and forwards the letter to the next center.
The Step‑by‑Step Journey of a Packet
- Your computer creates a packet for
1.1.1.1. - It sends the packet to your home router.
- Your home router forwards it to your ISP’s first router.
- That router sends it to another ISP router.
- This continues across the internet.
- Finally, the packet reaches the destination.
- The destination sends a reply back (often a different path).
Traceroute shows steps 3‑5.
How Traceroute Works (No Tech Overload)
Traceroute sends packets with a trick. It uses a number called TTL (Time To Live). Each router decreases that number by 1. When the number reaches 0, the router stops the packet and sends a message back. That message includes the router’s IP.
Traceroute starts with TTL=1, then TTL=2, then TTL=3, and so on. Each time, a different router replies. This way, it collects the IP of every router along the path.
TTL – The Secret Ingredient
TTL stands for Time To Live. It is a small number in every packet. Each router subtracts 1 from the TTL. If the TTL becomes 0, the router discards the packet and sends an error message back.
This prevents packets from traveling forever if there is a loop.
Why Routers Count Down TTL
Routers subtract 1 from TTL as a standard rule. It is part of how the Internet Protocol works. Without TTL, a routing mistake could cause packets to bounce between two routers forever. That would clog the network.
ICMP “Time Exceeded” Messages – What They Do
When a router discards a packet because TTL reached 0, it sends an ICMP Time Exceeded message back to your computer. This message contains the router’s IP address. Traceroute collects those IPs.
UDP vs ICMP – Two Traceroute Methods
| Method | Used By | How It Works |
|---|---|---|
| UDP traceroute | Linux, macOS | Sends UDP packets to a high, unused port. Destination replies “port unreachable.” |
| ICMP traceroute | Windows | Sends ICMP Echo Request packets. Destination replies with Echo Reply. |
You can often choose the method with a command option.
Windows vs Linux/macOS – Small Differences
| Feature | Windows tracert | Linux/macOS traceroute |
|---|---|---|
| Default method | ICMP | UDP |
| Max hops default | 30 | 30 |
| Stop early | Ctrl+C | Ctrl+C |
Both tools give similar results.
How to Run Traceroute on Windows
- Open Command Prompt (search for “cmd”).
- Type:
tracert google.com - Press Enter.
- Wait for the results.
To stop early, press Ctrl + C. To limit hops: tracert -h 15 google.com.
How to Run Traceroute on Linux
- Open Terminal.
- Type:
traceroute google.com - If not installed, run:
sudo apt install traceroute - Press Enter.
To use ICMP: traceroute -I google.com. To set max hops: traceroute -m 20 google.com.
How to Run Traceroute on macOS
- Open Terminal (Applications > Utilities).
- Type:
traceroute google.com - Press Enter.
macOS includes traceroute by default. Use -I for ICMP.
Mobile Traceroute Apps – A Quick Note
You can find traceroute apps for phones, like Network Analyzer or Ping & DNS. They work the same way but with a simpler screen. They are fine for casual checks.
Reading Traceroute Output – A Line by Line Guide
Here is a typical line from Windows tracert:
text
3 15 ms 12 ms 14 ms be-1.nyc.isp.net [198.51.100.7]
3= hop number (the third router)15 ms, 12 ms, 14 ms= three round‑trip times (in milliseconds)be-1.nyc.isp.net= the router’s name (if found)[198.51.100.7]= the router’s IP address
If a hop times out, you see * or “Request timed out.”
What Those IP Addresses Mean
Each IP address belongs to a router. The first hop is usually your home router. The second hop is your ISP’s local router. Later hops belong to backbone providers, cloud companies, or the final destination.
Private IPs (like 192.168.x.x) mean the router is inside a private network (your home or your ISP’s internal network).
Why Some Hops Show Names Instead of Numbers
Traceroute tries to look up the name for each IP (reverse DNS). The name often tells you:
- The city (e.g.,
nycfor New York) - The ISP (e.g.,
comcast.net) - The router’s role (e.g.,
edge,core)
These names help you guess where your traffic is going.
Understanding Latency – The “ms” Numbers
Latency is the time it takes for a packet to go from you to a router and back. It is measured in milliseconds (ms). One millisecond is one‑thousandth of a second.
- Hop 1 (your router): less than 1 ms
- Hop 2 (your ISP): 5‑15 ms
- Cross‑country hops: 30‑70 ms
- Across the ocean: 80‑150 ms
Higher numbers mean longer distances or congestion.
Three Numbers per Hop – What They Tell You
Traceroute sends three probes to each hop. The three numbers show the round‑trip time for each probe. If the numbers are close (e.g., 14, 15, 16), the path is stable. If they vary wildly (e.g., 10, 200, 15), there may be a problem.
What Causes Slow Hops?
- Distance – Light in fiber travels about 200,000 km/s. Far away means more time.
- Congestion – Too much traffic makes routers queue packets.
- Old or overloaded routers – Slow processing adds delay.
- Wireless links – Wi‑Fi and satellite have higher latency.
Sometimes a slow hop is not the real problem because the return path may be different.
Latency vs Packet Loss – Know the Difference
- Latency = delay. High latency makes things feel slow but they still work.
- Packet loss = some packets never arrive. Causes retransmissions, timeouts, and glitches.
Traceroute shows both: latency numbers for each hop, and * for lost probes.
“Request Timed Out” – What It Really Means
* * * means the router did not reply. Possible reasons:
- The router is set to ignore traceroute probes.
- The probe packet was lost.
- The router is down (rare).
If later hops reply, the silent router is just hiding. Ignore it.
Why Some Routers Hide from Traceroute
Network administrators block traceroute replies for security. They do not want outsiders to see their internal routers. This is normal and not a sign of a problem.
ICMP Filtering – A Common Reason for Silence
ICMP filtering means a firewall blocks certain ICMP messages. When a router filters ICMP Time Exceeded, it will not appear in traceroute. Many companies do this.
Hidden ISP Gear – When Hops Disappear
Internet providers often use MPLS (a tunneling technology). MPLS hides the internal routers. You may see only a few hops instead of many. The missing hops are still there; you just cannot see them.
MPLS Networks – Why Hops Go Missing
In MPLS, routers forward packets using labels, not IP addresses. They do not decrement the IP TTL. Therefore, traceroute does not see those hops. This is normal for large ISPs.
When Traceroute Stops Too Early
Traceroute may stop before reaching the destination because:
- A firewall blocks further probes.
- The destination does not reply to the probe type.
- There is a routing loop (rare).
- You reached the max hop limit (default 30).
If the website still loads, the destination is just ignoring traceroute.
The Last Hop vs the Final Destination
The last hop is the router closest to the destination. The final destination is the server itself. If the server does not reply to traceroute, you will see the last router and then timeouts.
For more about last hop mysteries, see our unassigned IPv4 addresses guide.
How CDNs Change Your Route
Content Delivery Networks (CDNs) like Cloudflare put servers close to you. When you traceroute to a CDN domain, you will hit a nearby edge server. The path is short, and latency is low.
Cloudflare and Other CDNs – How They Work
Cloudflare, for example, announces its IP addresses from many locations around the world. Your traceroute to 1.1.1.1 goes to the nearest Cloudflare node. That is why it often has very low latency.
Why Your Route Can Change Day to Day
Routes change for many reasons:
- Network maintenance
- Equipment failures
- Congestion (shifting traffic to less busy links)
- Cost (ISPs may change peering agreements)
So, do not be surprised if traceroute looks different tomorrow.
Load Balancing – Why Different Probes Take Different Paths
Many networks use load balancing to spread traffic across multiple links. Your three traceroute probes might take three different paths. You may see:
- Different IP addresses for the same hop number
- Different latency values
- Some probes reaching a router while others time out
This is normal and healthy.
How Geography Affects Your Hops
Router names often include city codes. For example, nyc means New York, lhr means London. By reading these names, you can guess the path your data takes.
Example – A Route Across the Ocean
A traceroute from New York to Sydney might show:
- New York routers (5‑10 ms)
- Dallas or Los Angeles (30‑50 ms)
- Undersea cable to Australia (150‑200 ms)
- Sydney ISP routers (20‑40 ms)
- Destination
Each region adds its own latency.
How Internet Providers Swap Traffic
When a packet leaves one ISP and enters another, it crosses a peering point or internet exchange. You may see a hop with a name like ix.nyc or an IP owned by a neutral exchange.
Peering and Transit – Simple Definitions
- Peering – Two ISPs exchange traffic for free (good for both).
- Transit – One ISP pays another to carry traffic to the rest of the internet.
Traceroute often shows a change in domain names at peering points.
The Internet Backbone – The Highway System
The internet backbone is a set of high‑speed routers owned by big ISPs. These routers form the long‑distance highways of the internet. Your traceroute may pass through several backbone routers.
Tier 1 Providers – The Top of the Chain
Tier 1 ISPs (like Lumen, Verizon, NTT) can reach every part of the internet without paying anyone. They form the top of the routing hierarchy. You will often see their router names in traceroute.
Your Home Router vs Your ISP’s Router
| Device | Role | Appears in traceroute? |
|---|---|---|
| Your home router | Forwards packets to your ISP | Yes (hop 1) |
| ISP local router | Connects you to the ISP’s network | Usually hop 2 |
| ISP backbone router | Long‑distance travel | Later hops |
Your home router often has a private IP. ISP routers have public IPs.
Public vs Private IPs in Traceroute
- Public IP – Unique on the internet. You see these after the first hop.
- Private IP – Reserved for internal use (e.g.,
10.x.x.x). If you see private IPs after hop 1, your ISP is using CGNAT.
NAT and CGNAT – Why You See Weird Addresses
NAT (Network Address Translation) hides private IPs behind a single public IP. Your home router does this. CGNAT is when your ISP does the same thing to save public IPs. In CGNAT, traceroute may show private IPs for several hops.
IPv4 vs IPv6 – Does It Matter?
- IPv4 is the older system. Most of the internet still uses it.
- IPv6 is newer and has a huge number of addresses. Traceroute works the same way on both.
On some networks, IPv6 traceroute may have fewer hops.
Security and Traceroute – What to Know
Traceroute reveals network layout. Attackers can use it to map a target’s infrastructure. For this reason, many companies block traceroute or hide internal routers. As a normal user, using traceroute to public websites is fine.
Can Traceroute Reveal Your Location?
Sometimes. Router hostnames often include city codes. Also, latency gives clues (e.g., 150 ms usually means across an ocean). However, IP geolocation is not always accurate. Do not rely on it for exact positioning.
Is It Legal to Use Traceroute?
Yes, using traceroute to public websites is perfectly legal. Do not use it to scan private networks without permission. That could violate laws.
How Attackers Could Use Traceroute
Attackers can use traceroute to find firewalls, learn about network layout, and identify weak spots. That is why security teams hide their internal routers.
Why Companies Hide Their Internal Routers
Companies block ICMP messages to keep outsiders from seeing their internal network structure. This is called security through obscurity. It adds a layer of difficulty for attackers.
Using Traceroute to Fix Slow Internet
When the internet feels slow, traceroute can tell you where the problem is:
- High latency at hop 1? Your home network (Wi‑Fi, router).
- High latency at hop 2 or 3? Your ISP.
- High latency later? A backbone provider or the destination.
Compare to a known fast destination (like 1.1.1.1) to rule out local issues.
Spotting Routing Problems with Traceroute
Look for these signs:
- A jump in latency from one hop to the next. That hop may be congested.
- Packet loss that continues to all later hops. That indicates a real problem.
- Repeating IPs in a loop. That is a routing loop (call your ISP).
Ignore packet loss that appears at one hop but disappears later. That hop is just ignoring probes.
Traceroute for Gamers – Reducing Lag
If you have high ping in a game, run traceroute to the game server’s IP (you may need to find it from the game’s logs). The hop where latency spikes is the culprit. If it is outside your ISP’s network, you cannot fix it yourself, but you can report it.
Finding Packet Loss – A Simple Method
- Run
ping -n 100 [destination]to confirm loss. - Run traceroute to see where loss occurs.
- If loss starts at hop 5 and continues to the end, the problem is at or after hop 5.
- Use
mtr(see later) for continuous monitoring.
For more on ping tests, see our guide on pinging unused IPs.
How a VPN Changes Your Traceroute
When you use a VPN, your traffic is tunneled to the VPN server. Traceroute will show:
- Your home router
- Your ISP hops
- The VPN server’s IP
- Then, from the VPN server to the destination (if split‑tunneling is off)
This adds extra hops and latency.
Why VPN Routes Look Strange
The path from the VPN server to the destination may be different from your direct path. You may see a jump in latency at the VPN server. That is normal.
Tor and Traceroute – A Bad Match
Tor routes your traffic through several encrypted relays. Traceroute from your computer will only reach the first Tor relay (the entry node). The rest of the path is hidden. Traceroute cannot help with Tor issues.
Common Traceroute Myths – Busted
| Myth | Truth |
|---|---|
| “High latency at a hop means that router is slow.” | Not necessarily. The return path could be slow. |
| “Packet loss at a hop means that router is broken.” | If later hops have no loss, the router is just ignoring probes. |
| “Traceroute shows the exact same path every time.” | Load balancing can change the path for each probe. |
| “All routers respond to traceroute.” | Many block it. |
What If a Router Ignores You?
If a router does not respond, you see * * *. The packet still passes through; the router just chooses not to reply. Do not worry about it.
Why a Hop Might Show Huge Latency
Sometimes a hop shows 200 ms while the next hop shows 50 ms. That seems impossible – round‑trip time cannot go down. The explanation is that the return path is different. The high latency came from a slow return route. Always focus on end‑to‑end latency, not hop‑by‑hop.
False Alarms in Traceroute – Don’t Be Fooled
* * *mid‑path does not mean packet loss. It just means no reply.- Private IPs after hop 1 are not a problem (just CGNAT).
- A single high latency hop is not always the problem.
Use common sense and test multiple times.
Real Traceroute Examples – See for Yourself
Example 1 – Normal home to Google
text
1 <1 ms <1 ms <1 ms 192.168.1.1 2 8 ms 7 ms 8 ms 10.20.30.1 3 12 ms 11 ms 12 ms be-1.nyc.isp.net [203.0.113.1] 4 15 ms 15 ms 14 ms 216.58.214.1
Example 2 – Silent router (ICMP filtered)
text
1 <1 ms <1 ms <1 ms 192.168.1.1 2 * * * Request timed out. 3 15 ms 15 ms 16 ms 203.0.113.1
Loss at hop 2 does not affect later hops – ignore it.
Example 3 – Destination unreachable after max hops
text
30 * * * Request timed out.
A Simple Picture of Packet Travel
text
[You] → [Home Router] → [ISP Local] → [Regional ISP] → [Backbone] → [CDN] → [Website]
Each arrow is a hop. Traceroute shows you the IP at each arrow.
Tools for Beginners – Start Here
- Command line (
tracertortraceroute) – free, built‑in. - VisualTraceroute – a graphical version (search for it).
- PingPlotter – combines ping and traceroute with nice graphs.
Start with the command line to learn the basics.
Web‑Based Traceroute – Another Option
You can find websites that run traceroute from their server to a destination. This helps you see the path from another location. However, avoid sending sensitive destinations.
MTR – A More Powerful Tool
MTR (My Traceroute) combines ping and traceroute into one. It continuously sends probes and shows live packet loss and latency per hop. It is great for diagnosing intermittent problems.
Install on Linux: sudo apt install mtr
Run: mtr google.com
Windows users can try WinMTR.
Traceroute vs Pathping – What’s the Difference?
Windows includes pathping. It sends 100 pings to each hop after mapping the route. It takes longer but gives more accurate loss statistics. Run: pathping google.com
Learning Cybersecurity with Traceroute
By studying traceroute, you can learn:
- How BGP routing works
- Where internet exchange points are
- How different ISPs connect
This knowledge is valuable for network security.
The Mystery of the Last Hop
Sometimes the last hop shows an unassigned IP address (a bogon). This can mean the destination network uses private addressing or a firewall hides the final router. For a deep dive, see our unassigned IPv4 addresses pillar post.
Common Traceroute Errors and Quick Fixes
| Problem | Likely Cause | Fix |
|---|---|---|
tracert: command not found | On Windows? Use tracert (no ‘e’). | Correct the spelling. |
traceroute: command not found | On Linux? Need to install. | sudo apt install traceroute |
All hops show * * * | Firewall blocks ICMP. | Cannot fix; the tool won’t work. |
| Repeating IPs (loop) | Routing loop. | Contact your ISP. |
Destination shows * * * but website loads | Destination blocks ICMP. | Normal; ignore. |
Final Thoughts – What Traceroute Can and Cannot Do
Traceroute can show you:
- The IP addresses of routers along the path.
- Approximate latency to each router.
- Where packets stop (if they stop).
- Whether loss is inside your ISP or beyond.
Traceroute cannot show you:
- The exact physical location of routers.
- The return path (it can be different).
- Hidden routers in MPLS networks.
- Whether a silent router is actually congested.
For related topics, explore our ping unused IP address guide and the unassigned IPv4 addresses pillar post.