How traceroute works

TTL

The time to live value can be thought of as an upper bound on the time that an IP datagram can exist in an internet system.

The TTL field is set by the sender of the datagram, and reduced by every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (Time Exceeded) is sent back to the sender.

The purpose of the TTL field is to avoid a situation in which an undeliverable datagram keeps circulating on an internet system, and such a system eventually becoming swamped by such immortal datagrams.

In IPv4, time to live (TTL) is an 8-bit field in the IP header.

TRACEROUTE

Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value of one. The first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero. The router sends an ICMP Time Exceeded message back to the source.

     +--------+                                          +--------+   
     | SENDER |                                          | TARGET |   
     +--------+                                          +--------+   
         |                                                   ^|     
      [============( Router )=====( Router )=====( Router )==|====]
                  ^              ^              ^            |  
                  | TTL=1        | TTL=2        | TTL=3      | TTL=4  
 Traceroute       |              |              |            |        
 shows these -----+--------------+--------------+------------/       

Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent.

1. As shown in figure below the first three packets sent have a time-to-live (TTL) value of one (implying that they are not forwarded by the next router and make only a single hop).

2. The next three packets have a TTL value of 2, and so on. When a packet passes through a host, normally the host decrements the TTL value by one, and forwards the packet to the next host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an "ICMP time exceeded" packet to the sender.

3. The traceroute utility uses these returning packets to produce a list of hosts that the packets have traversed en route to the destination. The three timestamp values returned for each host along the path are the delay (latency) values for each packet in the batch.

4. If a packet does not return within the expected timeout window, a star (asterisk) is traditionally printed. Traceroute may not list the real hosts. It indicates that the first host is at one hop, the second host at two hops, etc. IP does not guarantee that all the packets take the same route. Also note that if the host at hop number N does not reply, the hop will be skipped in the output.

5. On Linux, the traceroute utility by default uses UDP datagrams with destination ports number from 33434 to 33534.