Traceroute

Q: Why does traceroute show different paths each time?

Networks use ECMP (Equal-Cost Multi-Path routing) to load-balance traffic across multiple links. Consecutive probes may take different paths. Tools like paris-traceroute hold the flow tuple steady to keep the path consistent.

Map the network path packet by packet by exploiting how routers expire packets that travel too far.

Run a live traceroute from global worker nodes Try traceroute on QueryBox →

TL;DR

Traceroute reveals every router (or "hop") between you and a target host, and shows the round-trip time to each one. It is how you find out where a connection is slow, where it breaks, and which networks your traffic crosses to reach its destination.

What it is

Traceroute is a path discovery tool. Where ping tells you whether the endpoint answers, traceroute tells you the route packets take to get there, with one line per router along the way.

It works by abusing a header field that was designed to prevent packets from looping forever: TTL on IPv4, Hop Limit on IPv6. By sending packets with deliberately small TTL values and listening for the resulting error messages, traceroute discovers each hop in sequence.

How it works

Every IP packet has a TTL (or Hop Limit) field. Each router on the path decrements it by 1. When the value reaches 0, the router discards the packet and sends back an ICMP Time Exceeded message (Type 11 on IPv4, Type 3 on IPv6). That message reveals the router's IP address.

Traceroute exploits this:

Send a probe with TTL = 1. The first router decrements to 0, discards it, and sends ICMP Time Exceeded back. You now know hop 1.
Send a probe with TTL = 2. It dies at hop 2. You now know hop 2.
Continue incrementing TTL until the probe reaches the destination, which responds differently.
Stop.

Each hop is usually probed multiple times (commonly 3) so you get three RTT samples per router.

Probe styles

Probe	How destination signals "I am the end"
ICMP (Windows default)	Echo Reply (Type 0 / Type 129)
UDP (classic Unix default)	ICMP Port Unreachable on a closed high port
TCP (paris-traceroute, tcptraceroute)	SYN-ACK or RST on the target port

TCP traceroute is the most useful when ICMP and UDP are filtered, because firewalls usually permit TCP to common ports like 80 or 443.

When to use it

Identify where a slow connection is actually slowing down
Find the hop where a connection is being dropped
Confirm which transit networks (ASes) your traffic crosses
Diagnose asymmetric routing or unexpected geographic detours
Verify that traffic engineering or routing changes have taken effect
Compare paths from multiple regions when a service is slow from one location

Running it on networktoolkit.io

Select traceroute, enter a hostname or IP address, and the trace runs from each of our distributed workers. You see the full path from each location, so you can compare how traffic from London, Sydney, and São Paulo reaches the same destination. Sample output per worker:

traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
 1  10.0.0.1                 0.412 ms  0.387 ms  0.402 ms
 2  192.168.100.1            1.123 ms  1.087 ms  1.115 ms
 3  isp-gw-01.net (203.0.113.1)   8.245 ms  8.301 ms  8.278 ms
 4  ae-1-3201.edge4.London.Level3.net (4.69.143.13)  12.456 ms  12.401 ms  12.512 ms
 5  4.69.137.93              12.789 ms  12.834 ms  12.812 ms
 6  * * *
 7  93.184.216.34            12.901 ms  12.945 ms  12.923 ms

Reading the results

Element	Meaning
Hop number	Position in the path; 1 is closest to the source
Hostname (if shown)	Reverse DNS for the hop's IP address
IP address	The router that returned the Time Exceeded message
Three times	RTT samples in milliseconds, one per probe
`* * *`	All three probes timed out at that hop; usually rate limiting or filtered ICMP, not a real outage

Hostnames often encode useful information: airport codes (lhr, syd, lax), interface names (ae-1, xe-0/0/3), and AS identifiers. Reading them lets you infer geography and provider.

Common scenarios

Pattern	What it likely means
Smooth RTT progression to destination	Healthy path
Sudden jump in RTT mid-path	Long-haul link (often intercontinental) or congested hop
RTT increases then plateaus	Normal; later hops show cumulative latency, not their own
`* * *` for a hop, then trace continues normally	Router is silently dropping ICMP responses; the path is fine
`* * *` for the rest of the trace	Path is broken at that hop, or ICMP is being filtered to the destination
Trace reaches a hop then loops	Routing loop, often a misconfigured BGP or static route
Unexpected geography (e.g. London to Paris via New York)	Suboptimal routing or peering issue
First hops change frequently	ECMP (Equal-Cost Multi-Path) load balancing

Limitations & gotchas

Asymmetric routing is invisible. Traceroute only shows the forward path. The return path may be entirely different and can be the actual source of latency.
RTT is the round trip, not the hop's own latency. A hop showing 80 ms means the probe took 80 ms to reach it and the Time Exceeded to return; the hop itself may add no delay.
* * * rarely means outage. Most routers rate-limit or simply do not respond to ICMP Time Exceeded. The path itself is usually fine if later hops respond.
MPLS tunnels hide hops. Inside MPLS, intermediate routers may not decrement TTL, so an entire provider backbone can appear as a single hop.
Load balancing can produce inconsistent paths. ECMP, in particular, may route consecutive probes via different links, making the path appear unstable.
Anycast destinations mean the final IP might be answered by different physical machines depending on which network you trace from.

Security & privacy notes

Traceroute output is enumeration information: it reveals network topology, transit providers, and infrastructure naming conventions. Operators sometimes filter ICMP Time Exceeded or rate-limit it to reduce this exposure. Running traceroute against a target you do not own is generally low-impact but can appear in security logs as reconnaissance, especially at high volume.

Standards & references

RFC 1393 — Traceroute Using an IP Option
RFC 792 — ICMP (defines Time Exceeded message used by traceroute on IPv4)
RFC 4443 — ICMPv6 (defines Time Exceeded for IPv6 traceroute)
RFC 5837 — Extending ICMP for Interface and Next-Hop Identification

FAQ

Why do some hops show `* * *`?

The router at that hop is not responding to ICMP, either because it is configured to drop or rate-limit Time Exceeded messages, or because a firewall between you and it is filtering them. If later hops respond, the path is fine.

Why does traceroute show different paths each time?

Networks use ECMP to load-balance traffic across multiple links. Consecutive probes may take different paths. Tools like paris-traceroute hold the flow tuple steady to keep the path consistent.

Is the last hop's RTT the same as ping?

Usually yes, but ICMP Echo and ICMP Time Exceeded can be processed on different paths inside a router, so they sometimes differ by a few milliseconds.

Can a high RTT at one hop mean that hop is slow?

Not necessarily. RTT measures the round trip to that hop, including the return path. The hop itself may add no delay; the slowness may be on the path leading up to it, or on its return path.

Why does TCP traceroute work when UDP and ICMP do not?

Many firewalls block ICMP and UDP probes but allow TCP to common ports like 80 or 443, since those are needed for normal web traffic. TCP traceroute uses those ports to get through.

Does traceroute work over IPv6?

Yes. It uses ICMPv6 Time Exceeded messages (Type 3) instead of ICMP Type 11, and decrements Hop Limit instead of TTL.