Traceroute: how does it work?

Traceroute is a valuable tool that you can use to trace the path of data packets from a computer to its destination on the internet. It's like following a map of data's journey through various networks and devices.

Traceroute is incredibly valuable when it comes to monitoring and troubleshooting networks. It can help you understand how traffic flows within a client’s organization and identifies any hiccups along the way. As a result, mastering it can be a valuable tool for protecting your clients, both by finding bottlenecks, but also vulnerabilities.

In this article, we'll explore how traceroute works, its significance in cybersecurity, and its practical applications for diagnosing network problems. 

Traceroute: its definition and its role

So, what is traceroute and what does it do? At its core, traceroute, also known as tracert in Windows systems, is a key tool used in network diagnostics. It illuminates the path that data packets traverse from their origin to their destination within an IP network. 

This path, often involving several hops through different routers, can offer significant insights into the functioning and efficiency of a network.

One of the key functions of traceroute is its ability to manipulate the Time-to-Live (TTL) field in the IP packet headers. As each data packet makes its journey, every router it encounters reduces the TTL value until it reaches zero. 

Once this occurs, the router discards the packet and sends back a TTL exceeded message. By capturing these messages, traceroute identifies each hop along the network path.

So, why is traceroute considered essential in the world of cybersecurity? Here are some key applications:

Troubleshooting network issues

By using traceroute, network administrators can pinpoint exactly where connection issues occur within a network. This capability is incredibly handy when troubleshooting problems like slow-loading web pages or packet loss. The information provided by traceroute enables swift problem identification and resolution, ultimately ensuring optimal performance for end-users.

Identifying ISP issues

Traceroute can also help in identifying whether internet speed or connection problems stem from a client's Internet Service Provider (ISP) or the specific website or service they are attempting to access. Such knowledge enables network administrators to guide their clients towards effective troubleshooting and resolution.

Verifying routing and security

Traceroute plays a vital role in verifying the integrity of network routes and security protocols. By ensuring that data packets are following the intended path and passing through the appropriate security checkpoints—such as firewalls, VPNs, or other measures—traceroute helps maintain network security and prevent unauthorized access or data breaches.

Investigating cyberattacks

In the event of a security breach, traceroute can be used to trace the path of the attack and determine its source. This vital information helps in identifying vulnerabilities, implementing appropriate security measures, and warding off future cyberattacks.

Testing network performance

Apart from its troubleshooting capabilities, traceroute also plays an essential role in monitoring and testing network performance. By observing latency metrics, traceroute aids in identifying areas of the network that might be hindering its overall performance.

How to run traceroute

Traceroute is a handy network diagnostic tool, but your team needs to know how to run it. To run a traceroute using ICMP on different operating systems:

If you're using a Mac or Linux system, follow these steps:

  1. Open the Terminal application.
  2. Type "traceroute [hostname]" (replace [hostname] with the website or IP address you want to trace) and press enter.

On a Windows system, the process is slightly different:

  1. Go to the Start menu and select Run.
  2. Type "cmd" and hit "OK" to open the command prompt.
  3. Type "tracert [hostname]" and press enter.

After running the icmp traceroute command, the tool will start sending packets with different time-to-live (TTL) values to the destination. Each hop along the route will decrement the TTL and send an ICMP TTL Exceeded message back to your computer. 

Once the traceroute is complete, you'll see a list of hops with their respective IP addresses or hostnames. Each hop represents a network device along the path, and the round-trip times provide insights into the latency experienced at each hop. 

To interpret the traceroute results, look for latency and packet loss values. Latency indicates the time it takes for a packet to travel to a hop and back, while packet loss refers to the percentage of packets that didn't receive a response. Analyzing these values helps identify potential network issues or bottlenecks.

Traceroute limitations

Traceroute can be extremely valuable when it comes to identifying network and security issues. However, it does have some limitations that are important to consider:

  1. Firewalls can block probe packets: When conducting a traceroute, it's possible to encounter firewalls that block the probe packets. This can result in traceroute reaching its maximum number of hops without returning any results. In such scenarios, adjusting the transport protocols or ports can often help overcome these obstacles.
  2. Load balancing can affect accuracy: Routers that implement load balancing distribute data packets across various paths to optimize network performance. This can lead to traceroute displaying an inaccurate path between the source and the destination. Fortunately, there's a solution called Paris-Traceroute. Unlike traditional traceroute, Paris-Traceroute is designed to address this specific issue. It ensures that all probe packets follow the same path, thereby providing a more accurate representation of the network route.
  3. Difficulty differentiating between muted interfaces and real loss: Traceroute cannot distinguish between muted interfaces (those that never reply with ICMP Time Exceeded packets) and actual loss episodes. A single traceroute run is usually insufficient to make this distinction.
  4. Incomplete view of the end-to-end path: Most network pairs have multiple possible routes between them. To explore all alternative routes, multiple probes from the source to the destination are necessary. However, load balancing distortion can make this challenging.
  5. MPLS can distort per-hop delays: MPLS tunnels with u-turn behavior can lead to distorted per-hop delay measurements in traceroute results.

Despite these limitations, traceroute remains a valuable tool for identifying network problems. However, it's important to be aware of its shortcomings and consider alternative methods or tools for more comprehensive network analysis.

Cybersecurity solutions to support traceroute 

While traceroute is invaluable for diagnosing connectivity issues, it may not provide a comprehensive view of network performance. Consider integrating additional network monitoring solutions to supplement the traceroute's capabilities and gain a more detailed understanding of your network. 

Network assessment tools can work with traceroute, offering advanced insights and a more robust network monitoring strategy. They also need complementary solutions to build a full cybersecurity strategy for clients.

These solutions can work alongside traceroute to enhance your network monitoring capabilities and provide advanced insights. Here are a few examples:

  1. Network path analysis tools: Look at the route that data takes through a network. This category of tools can be viewed as specialized, focusing on the identification and addressing of network issues, particularly latency and packet loss at each hop along the path.
  2. Real-time network monitoring tools: Focus more on providing constant, real-time data on the network's performance. The key feature here is their ability to provide ongoing data as conditions change, which can help identify transient or intermittent issues that could impact network performance.
  3. All-in-one network management systems: Comprehensive platforms that perform a variety of tasks beyond monitoring network performance or tracking the path of data. They provide a more holistic view of the network, encompassing aspects like device configuration, fault monitoring, performance tracking, and security. 

By integrating these complementary tools into your network monitoring strategy, you can enhance the capabilities of traceroute and gain a more robust understanding of a client network's performance. Solutions like these and other cybersecurity risk assessment tools help your team proactively identify and resolve network issues, ensuring optimal performance and minimal downtime. 

A comprehensive cybersecurity strategy requires a diverse set of software and tools to provide your clients adequate protection against threats. ConnectWise MDR combines enterprise-grade EDR technology with expert SOC services to close your clients’ security gaps and keep their data safe. Watch a free on-demand demo of the ConnectWise cybersecurity suite today to see our cybersecurity software in action.


A traceroute tool identifies the path data packets take through a network. Traceroutes work by sending packets with increasing Time to Live (TTL) values. As packets traverse the network, each router decreases the TTL value. When the TTL value reaches zero, the packet is discarded, and an ICMP Time Exceeded message is returned to the source. A traceroute can identify each hop or router in a network path, providing valuable insight into connectivity issues and network performance optimization.

Traceroute is used to troubleshoot network issues by identifying where latency or packet loss occurs. By executing a traceroute command and analyzing the resulting output, network administrators can pinpoint the specific hops causing network problems. This information is crucial for taking effective measures to resolve these issues. Additionally, the traceroute's ability to map the data route can help detect any routing anomalies or misconfigurations contributing to network problems.

Common traceroute errors often involve routers or firewalls blocking ICMP packets, leading to missing responses from specific hops. This can result in timeouts or asterisks (*) in the traceroute output, indicating a lack of response within the set time limit. Additionally, some routers may prioritize ICMP traffic differently, which can cause inaccurate latency measurements. These issues can affect the reliability of traceroute results, necessitating alternative methods or adjustments for accurate network diagnostics.

Alternatives to traceroute for network troubleshooting include tools like PathPing and mtr (My traceroute) and comprehensive network monitoring solutions. PathPing combines traceroute and ping functionalities to offer detailed packet loss and latency information. mtr provides real-time statistics on network paths, while network monitoring platforms with built-in traceroute capabilities offer advanced troubleshooting and analysis features. These tools can provide deeper insights, help diagnose issues, and optimize network performance.

Traceroute identifies network delays and congestion by measuring the Round-Trip Time (RTT) for each hop in the data path. By examining these RTT values, traceroute can highlight hops with high latency, which may indicate potential network bottlenecks or congestion. This helps distinguish between delays caused by individual routers and those resulting from overall network congestion.