How Does Traceroute Work?
Traceroute is a network diagnostic tool that maps the path packets take from your computer to a destination. It reveals every router hop along the way, showing you the actual network path — which may differ significantly from what the BGP AS path suggests.
The TTL Trick
Traceroute works by exploiting the Time To Live (TTL) field in IP packets. Every IP packet has a TTL value that starts at some number (typically 64 or 128) and decreases by 1 at each router hop. When the TTL reaches 0, the router discards the packet and sends back an ICMP Time Exceeded message to the sender.
Traceroute sends a series of packets with incrementally increasing TTL values:
- Send a packet with TTL=1 — the first router decrements it to 0, drops the packet, and sends back an error. Now you know the first router's IP.
- Send a packet with TTL=2 — the second router drops it and replies. Now you know the second hop.
- Continue until the packet reaches the destination, which sends a different reply indicating the trace is complete.
Most traceroute implementations send three probes per hop to measure latency at each point.
What Traceroute Shows
A typical traceroute output shows:
- Hop number — The position in the path (1, 2, 3, ...)
- Router IP and hostname — The address of the router at that hop (if reverse DNS is configured)
- Round-trip times — Three latency measurements in milliseconds
- * * * — Indicates the router did not respond (many routers are configured to not reply to traceroute probes)
Traceroute vs BGP AS Path
Traceroute shows the actual forwarding path of packets, while the BGP AS path shows the control plane path — the sequence of autonomous systems the route advertisement traversed. These often align, but they can differ because:
- A single AS may have many internal routers, so the traceroute shows multiple hops within one AS
- Traffic engineering may cause packets to take a different path than what BGP suggests
- Asymmetric routing means the forward and return paths may differ
Using a BGP looking glass alongside traceroute gives you a complete picture: the looking glass shows the AS-level view, while traceroute shows the router-level path.
Variants
- traceroute (Unix) — Uses UDP packets by default
- tracert (Windows) — Uses ICMP echo requests
- mtr — Combines traceroute and ping into a continuous display
- Paris traceroute — Ensures all probes follow the same path through load balancers
Try looking up the IPs you see in a traceroute to identify which autonomous systems they belong to: