traceroute &
tracert Explained

traceroute (Linux / macOS) and tracert (Windows) map the path packets take across a network — hop by hop — revealing where delays and failures occur between you and any destination.

ICMP · UDP · TTL · Linux · macOS · Windows

01 — How It Works

Every IP packet carries a TTL (Time To Live) value — a counter that each router decrements by one. When TTL hits zero the router drops the packet and sends back an ICMP "Time Exceeded" message. traceroute exploits this deliberately.

By sending probes with TTL = 1, 2, 3 … and collecting the ICMP replies, traceroute builds a map of every router on the path.

Each row in the output represents one hop. Three probes are sent per hop and the round-trip time (RTT) for each is reported. A * means no reply was received within the timeout.

02 — Basic Usage

Linux / macOS

traceroute google.com

Windows

tracert google.com

Typical output

traceroute to google.com (142.250.185.46), 30 hops max 1 192.168.1.1 1.2 ms 1.0 ms 0.9 ms 2 10.0.0.1 8.4 ms 8.1 ms 8.3 ms 3 72.14.215.165 12.1 ms 11.9 ms 12.0 ms 4 * * * 5 142.250.185.46 14.3 ms 14.1 ms 14.2 ms

ℹ * * * means the router at that hop did not reply — this is common and does not always indicate a problem. The destination may still be reachable.

03 — Reading the Output

Column	Meaning
Hop #	Sequence number — 1 is the first router (usually your gateway)
Hostname / IP	Identity of the router at that hop
RTT 1, 2, 3	Round-trip times for the three probes sent to that hop (ms)
* * *	No reply received — router may block ICMP, or packet was lost

What to look for: a sudden large jump in RTT between two consecutive hops points to latency at that link. Consistent * * * from a hop onwards suggests a firewall or routing black hole.

04 — Common Flags

Linux / macOS — traceroute

Flag	Description	Example
-n	Skip DNS — show IPs only (faster)	traceroute -n 8.8.8.8
-m <hops>	Max hops (default 30)	traceroute -m 20 8.8.8.8
-q <n>	Probes per hop (default 3)	traceroute -q 5 8.8.8.8
-w <sec>	Timeout per probe (default 5s)	traceroute -w 2 8.8.8.8
-I	Use ICMP instead of UDP	traceroute -I 8.8.8.8
-T	Use TCP SYN probes (port 80)	traceroute -T 8.8.8.8
-s <src>	Bind to a specific source IP	traceroute -s 10.0.0.2 8.8.8.8

Windows — tracert

Flag	Description	Example
-d	Skip DNS — show IPs only	tracert -d 8.8.8.8
-h <hops>	Max hops (default 30)	tracert -h 20 8.8.8.8
-w <ms>	Timeout per reply in ms	tracert -w 2000 8.8.8.8
-4 / -6	Force IPv4 or IPv6	tracert -6 google.com

05 — Practical Examples

Fast trace — no DNS lookup

traceroute -n 1.1.1.1 # Linux / macOS tracert -d 1.1.1.1 # Windows

ICMP mode — better firewall traversal

sudo traceroute -I google.com

TCP mode — test a specific port

sudo traceroute -T -p 443 google.com

Increase probes for reliability

traceroute -q 10 -n 8.8.8.8

IPv6 trace

traceroute6 ipv6.google.com # Linux / macOS tracert -6 ipv6.google.com # Windows

06 — Troubleshooting Guide

Symptom	Likely meaning
High RTT at one hop, normal after	That router deprioritises ICMP — not a real bottleneck
RTT grows steadily each hop	Normal — distance and propagation delay accumulating
Sudden RTT spike that persists	Congested or degraded link at that hop
* * * then destination replies	Intermediate router blocks ICMP — path is fine
* * * all the way to end	Routing black hole, firewall blocking all probes, or host down
Trace loops back to same hop	Routing loop — contact the upstream provider

⚠ traceroute uses UDP by default on Linux/macOS and ICMP on Windows. Firewalls may block one but not the other — try -I (ICMP) or -T (TCP) if you get all stars.

ℹ For a more visual experience, try mtr (Linux/macOS) — it combines ping and traceroute into a live continuously-updating display: mtr google.com

traceroute &tracert Explained

traceroute &
tracert Explained