ccie blog

How does traceroute work?

I’m gonna fly into an example so you can see what actually happens when you bang out a traceroute command on a router. In the network below, I’m going to traceroute from Sw1 to Sw2.


Type escape sequence to abort.
Tracing the route to

  1 0 msec 0 msec 9 msec
  2 0 msec 0 msec 0 msec
  3 8 msec *  0 msec

A wireshark capture was taken on Sw1, and this can be viewed online here (I recommend you open this file before reading on).


Traceroute can be explained in three main steps below.

1- Traceroute starts by sending 3 UDP packets with a TTL set to 1, towards the destination. Each UDP packet gets an ICMP reply with a Time-to-live  exceeded message. The key thing is that the IPv4 Source field is now filled with an IP address ( Рline 2 in the packet capture). This means is now our first hop.

2- Sw1 then sends another 3 UDP packets to the destination with a TTL of 2. So the packet goes past the first hop (Sw3), gets to the second hop (Sw4), and another 3 ICMP TTL exceeded messages are sent back with the source IP field filled in ( – line 8 in the packet capture). This means is our second hop.

3- Sw1 then sends another 3 UDP packets to the destination with a TTL of 3. This time it actually reaches the destination, and we get an ICMP – Destination unreachable (Port unreachable) message back. Because we can actually reach the destination (at layer 3) and the TTL has not been exceeded, it now tries to reach the destination port (layer 4). This verifies that this is the final hop, and a TTL of 3 meant the destination was 3 hops away. It doesn’t matter that the port was unreachable, it was simply a test to get that port unreachable message back so that we know we moved up the OSI stack to layer 4, which verifies layer 3 is reachable.

The last thing is that traceroute always starts at port 33434 and increments by 1 each time a UDP packet is sent. You can see this in the packet capture. The first line shows the destination port is traceroute (which is 33434). The next red line shows 33435, then 33436 and so on.


RahulAugust 22nd, 2013 at 1:23 pm

nice explanation….

SrijanaOctober 9th, 2013 at 4:42 pm

Nice explanation !!

AakilJune 15th, 2014 at 6:17 pm

Very good work.

MehdiJune 27th, 2014 at 9:21 am

Very gooooood.excellent

Tarang SrivastavaMarch 26th, 2015 at 5:07 am

short simple but great explanation ………. thanks

And the attached document (wireshark) was Great keep up the good work

ArunFebruary 16th, 2016 at 2:18 am


AnonymousJune 27th, 2016 at 12:28 pm

Thank you!

Jatin KapoorOctober 24th, 2016 at 10:57 am

Excellent Article.

shaikhFebruary 2nd, 2018 at 8:02 pm


NassimFebruary 3rd, 2018 at 3:22 pm

Thanks, excellent article

BirajMay 21st, 2018 at 7:12 am

Very much Informative

Leave a comment

Your comment