Loading...

VONDS ©

Lab 92: Tracing Network Traffic with traceroute

Back to Lab Index

Trace packet paths to a remote host and use hop-by-hop evidence to localize routing issues and latency spikes. Capture output as an artifact you can attach to an incident ticket.

networking troubleshooting routing

Scenario

A remote service is intermittently slow and users report timeouts. You need hop-by-hop visibility to identify where latency increases, where replies stop, and whether filtering is impacting probes.

Operator context

traceroute is evidence, not a verdict. Some routers rate limit or drop TTL-expired replies, so interpret * * * with context and validate with alternate probe types when needed.

Objective

  • Install traceroute using your distro package manager.
  • Trace a path to a public domain and interpret hop output.
  • Run numeric-only traces to eliminate DNS noise.
  • Observe timeout behavior when hops do not respond.
  • Limit max hops for fast, targeted traces.
  • Switch probe modes: ICMP vs TCP for firewall-friendly tracing.
  • Save results to a file and review them for reporting.

Concepts

  • TTL-based path discovery: each hop reports where the probe expires.
  • RTT interpretation: three probe timings per hop highlight jitter and spikes.
  • DNS influence: name resolution can add delay and noise; numeric output reduces variables.
  • Probe modes: UDP (default), ICMP , and TCP can produce different results depending on filtering.
  • Evidence handling: redirect output to a file for incident tickets and follow-up analysis.

Walkthrough

Step 1 : Install traceroute if needed.
Command 
sudo apt install traceroute -y
# OR
sudo dnf install traceroute -y
# OR
sudo pacman -S traceroute

Install the tool before you start collecting evidence. If the package is already present, verify the binary is available and runnable. 

# Expected pattern:
traceroute package installs or reports already installed.
Step 2 : Trace to a public domain.
Command 
traceroute google.com

Each line is a hop where the TTL expired and a router (or the destination) returned a reply. The three RTT values are repeated probes per hop. 

traceroute to google.com (142.250.72.46), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)           1.123 ms   0.956 ms   0.902 ms
 2  10.0.0.1 (10.0.0.1)                 7.412 ms   6.983 ms   7.201 ms
 3  96.120.45.1 (96.120.45.1)          12.881 ms  12.604 ms  12.447 ms
 4  68.86.190.45 (68.86.190.45)        18.522 ms  18.410 ms  18.367 ms
 5  142.250.72.46 (142.250.72.46)      23.771 ms  23.593 ms  23.541 ms
Step 3 : Use numeric output only.
Command 
traceroute -n google.com

Numeric-only output removes DNS resolution as a factor and speeds up traces when reverse lookups are slow or blocked. 

traceroute to 142.250.72.46 (142.250.72.46), 30 hops max, 60 byte packets
 1  192.168.1.1           0.945 ms   0.881 ms   0.864 ms
 2  10.0.0.1              6.972 ms   6.751 ms   6.538 ms
 3  96.120.45.1          12.204 ms  12.093 ms  11.984 ms
 4  68.86.190.45         18.207 ms  18.165 ms  18.143 ms
 5  142.250.72.46        23.432 ms  23.317 ms  23.281 ms
Step 4 : Observe timeout behavior.
Command 
traceroute 10.255.255.1

* * * means no TTL-expired reply was received for that hop. This can be filtering, rate limiting, or genuine loss. 

traceroute to 10.255.255.1 (10.255.255.1), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)           1.011 ms   0.948 ms   0.932 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
Step 5 : Limit maximum hops for a targeted trace.
Command 
traceroute -m 5 google.com

A lower hop limit is useful when you only need to validate early-path behavior (local gateway, ISP edge, first transit). 

traceroute to google.com (142.250.72.46), 5 hops max, 60 byte packets
 1  192.168.1.1           0.987 ms   0.921 ms   0.904 ms
 2  10.0.0.1              6.822 ms   6.599 ms   6.447 ms
 3  96.120.45.1          11.947 ms  11.853 ms  11.774 ms
 4  68.86.190.45         17.954 ms  17.903 ms  17.861 ms
 5  142.250.72.46        23.275 ms  23.163 ms  23.121 ms
Step 6 : Use ICMP probes as an alternate signal.
Command 
traceroute -I google.com

ICMP echo probes can succeed where UDP-based traceroute is filtered (or vice versa). Use this to validate whether probes are being blocked. 

traceroute: using ICMP ECHO
Step 7 : Use TCP SYN probes for firewall-friendly tracing.
Command 
traceroute -T google.com

TCP-based traceroute can be useful in environments where ICMP and UDP are blocked. This uses TCP SYN probes (commonly toward port 80 by default). 

traceroute: using TCP SYN, port 80
Step 8 : Save traceroute output to a file.
Command 
traceroute google.com > trace.log

Redirecting stdout creates an artifact you can attach to an incident or troubleshooting notes.

Step 9 : Review the saved results.
Command 
less trace.log

Use a pager to review the hop list, RTTs, and where responses stop. This is the view you copy into a ticket when you need to show the path behavior.

Common breakpoints

traceroute is installed but requires elevated privileges

Some systems restrict raw socket usage. If you see permission errors, run traceroute with appropriate privileges or use TCP mode where allowed.

Many hops show * * * intermittently

This can be normal when routers rate limit TTL-expired responses. Compare results across -I and -T and look for a consistent point where responses stop.

Path changes between runs

Routing can shift due to load balancing or network changes. Capture multiple traces and compare the divergence point to localize the unstable segment.

DNS lookups are slow and the trace stalls

Disable name resolution with -n to reduce noise and speed up collection when reverse DNS is unreliable.

Cleanup checklist

This lab is read-only aside from installing packages and writing an output file. If you created artifacts, remove them when you are done and keep only what you intend to attach to a ticket.

Commands 
rm -f trace.log

Reference

  • traceroute <host> : Displays the hop-by-hop path to a destination.
  • traceroute -n <host> : Runs traceroute with numeric output only (no DNS lookups).
    • -n : Disables name resolution to reduce noise and speed up output.
  • traceroute -m <hops> <host> : Limits the maximum hop depth.
    • -m <hops> : Sets the max TTL/hop count (for example 5 ).
  • traceroute -I <host> : Uses ICMP echo probes.
    • -I : Switches probing to ICMP ECHO for alternate signal.
  • traceroute -T <host> : Uses TCP SYN probes (often more firewall-friendly).
    • -T : Switches probing to TCP SYN (commonly toward port 80 by default).
  • traceroute <host> > <file> : Redirects stdout to a file for later review.
    • > : Redirects standard output to a file.
  • less <file> : Opens a file in a pager for review.