Traceroute/tracert command tool
Traceroute (in Cisco/Unix/Linux world) or tracert (in Windows world) is another great TCP/IP command tool for troubleshooting network connectivity. Tracert/traceroute command tool is inbuilt and available out of the box in all Cisco/Windows/Unix/Linux Operating Systems. In this tutorial, we are going to use the Windows based tracert command to understand how traceroute/tracert command tool works.
I strongly recommend you to visit following lessons before reading further.
- Datalink Layer (Layer 2)
- Network Layer (Layer 3)
- TTL (Time-to-Live) value in IPv4 header
- IPv4 addresses, IPv4 Address Classes, IPv4 Address Classifications
- Internet Control Message Protocol, ICMP, How ICMP Work, ICMP Header, ICMP Message Header
- ICMP message types
- ICMP Echo Request and Echo Reply messages
- ICMP Time Exceeded messages
- What is hop count in routing
- What is routing loop and how TTL (Time-to-Live) value can prevent routing loop
Why we use tracert/traceroute command tool
Tracert/traceroute command tool can be used to trace the path followed by an IPv4 datagram from source to destination, as we have multiple paths from source to destination. Tracert/traceroute command tool can also be used to troubleshoot network connectivity. Let us try to understand the use of tracert/traceroute command tool for network troubleshooting.
Please refer the topology shown in below image.
We have a small network with four routers at four different geographical locations. The computer at your desk (JAJISH-PC-1, source) is up and running, the computer at the destination (JAJISH-PC-2) must be up and running for sure, but there is no layer 3 connectivity between your computer (JAJISH-PC-1) and the destination computer (JAJISH-PC-2). IPv4 datagrams sent from your computer (JAJISH-PC-1) are not reaching the destination computer (JAJISH-PC-2). We are in a critical situation, totally down and need to find urgently where in the whole path from the source to the destination the connectivity is broken. Routers/computers are located at faraway places at different geographical locations and you cannot run between them. Tracert/traceroute command tool is very helpful to find where on the path from source to destination the layer 3 connectivity is broken. If you find where on the path the network connectivity is broken, you may seek help from the network engineer at that location to troubleshoot the network issue.
How tracert/traceroute command tool works
Tracert/traceroute command tool works by making use of TTL (Time-to-Live) value in IPv4 header, ICMP Echo Request and Echo Reply messages and ICMP Time Exceeded messages.
TTL (Time-to-Live) value in IPv4 header is the maximum number of hops (simply, number of routers) that an IPv4 datagram can jump between the source and destination in a TCP/IP network, before it got discarded by a router on its path to the destination computer. The TCP/IP device which generated the IPv4 datagram will set an initial TTL value at IPv4 header, for example 128. Every router on the path from source to destination will decrement the TTL value in IPv4 header by 1. If an IPv4 datagram arrives at a router with TTL value as 1, that router will discard the IPv4 datagram.
The main point to note here is, when a router discards an IPv4 datagram because the TTL (Time-to-Live) value in IPv4 header has expired, it will send back an ICMP Time Exceeded message to notify the original sender (in this example, JAJISH-PC-1) that the IPv4 datagram got discarded because the TTL (Time-to-Live) value in IPv4 header has expired. Tracert/traceroute command tool makes use of these ICMP Time Exceeded message to know where the connectivity is broken.
TTL (Time-to-Live) value in IPv4 header is mainly used to prevent routing loops, an undesirable condition in TCP/IP networks. ICMP Echo Request and Echo Reply messages and ICMP Time Exceeded messages are two types of messages in Internet Control Message Protocol (ICMP). Please refer the links to know more about the terms we discussed.
Special Notes:
- Please note that I am using Windows Operating System at JAJISH-PC-1 and JAJISH-PC-2. So, the command used will be tracert, instead of traceroute. If you are planning to use a Cisco/Unix/Linux Operating System to do the lab, please use traceroute instead.
- The captured packets may look slightly different on Unix/Linux TCP/IP implementations, if you are trying to do the lab using Unix/Linux Operating Systems.
- There may be multiple ICMP Echo Request message and ICMP Time Exceeded messages in each step (three each in Windows tracert). But for the simplicity, I have shown only one each.
- We are using the topology diagram at the beginning of this lesson to understand how traceroute/tracert works. Please refer the topology diagram at the beginning of this lesson, before continuing.
- Please refer the links provided at the beginning of this lesson to understand the technical terms used in this lesson.
Okay, let us try to explore deeper how the path tracing is done in traceroute/tracert. I have divided the whole process of tracing the path from the source to destination into different steps below, to provide you a clear view how tracert command tool works. The command to run tracert command tool on a Windows machine is as shown in below image. I am going to run tracert command tool at the source computer (JAJISH-PC-1), as shown below.
Note that tracert command can also be run by specifying a domain name instead of IPv4 address. The tracert command then resolve the domain name into an IPv4 address and starts sending ICMP Echo request type of message to the destination IPv4 address.
Step 1 - Tracert command will generate and send ICMP Echo Request message with TTL value as 1 to the destination
When you run the tracert command, source computer generates and send an ICMP Echo Request message with TTL value on IPv4 header as 1 to the destination computer.
The Wireshark capture screen shot of ICMP Echo Request message with TTL value of IPv4 header as 1 is copied below.
Since the TTL value of IPv4 header is set as 1, the first hop router (default gateway) will discard the original IPv4 datagram packet containing above ICMP Echo Request message and will send back an ICMP Time Exceeded message to notify the computer JAJISH-PC-1 that the IPv4 datagram sent from JAJISH-PC-1 got discarded because the TTL (Time-to-Live) value in IPv4 header has expired.
The Wireshark capture screen shot of ICMP Time Exceeded message from first-hop router (OMNISECU-ROUTER-1) is copied below.
Since the ICMP Time Exceeded message is from 172.16.0.1 (source IPv4 address of IPv4 datagram carrying the ICMP Time Exceeded message) traceroute/tracert command tool can know the packet has reached up to 172.16.0.1 (first-hop router). Once the traceroute/tracert command tool has received the ICMP Time Exceeded message from first-hop router, the result is displayed at the command prompt that the first-hop router is reachable, as shown in below image.
Step 2 - Tracert command will generate and send ICMP Echo Request message with TTL value as 2 to the destination
The source computer (JAJISH-PC-1, in this example) then generates and send an ICMP Echo Request message with TTL value of IPv4 header as 2 to the destination computer.
The Wireshark capture screen shot of ICMP Echo Request message with TTL value of IPv4 header as 2 is copied below.
Since the TTL value of IPv4 header is 2 in this case, the first router (default gateway) will forward the IPv4 datagram packet to next router (OMNISECU-ROUTER-2) on the path after decrementing 1 from current TTL value. The packet has reached the second router now, on its way to the destination computer with a TTL value of IPv4 header as 1. The second router will discard the packet and will send back an ICMP Time Exceeded message to notify the source computer (JAJISH-PC-1) that the IPv4 datagram got discarded because the TTL (Time-to-Live) value of IPv4 header has expired.
The Wireshark capture screen shot of ICMP Time Exceeded message from the second router (OMNISECU-ROUTER-2) is copied below.
Since the ICMP Time Exceeded message is from 192.168.10.2 (source IPv4 address of IPv4 datagram carrying the ICMP Time Exceeded message from second router to the source computer) traceroute/tracert program can know the packet has reached up to 192.168.10.2. Interesting!!! Traceroute/tracert command tool has received the IPv4 address of the interface of the second router facing the source computer (JAJISH-PC-1). Source computer also came to know that everything is in good shape till the second router (OMNISECU-ROUTER-2). The output of the tracert command at this instance is copied below.
Step 3 - Tracert command will generate and send ICMP Echo Request message with TTL value as 3 to the destination
Once the result explained in previous step is displayed at the command prompt, the source computer then generates and send next ICMP Echo Request message with TTL value of IPv4 header as 3 to the destination computer.
The Wireshark capture screen shot of ICMP Echo Request message with TTL value of IPv4 header as 3 is copied below.
Since the TTL value of IPv4 header is 3, both the first router (OMNISECU-ROUTER-1) and the second router (OMNISECU-ROUTER-2) will forward the IPv4 datagram packet to the next router (OMNISECU-ROUTER-3) on the path, after decrementing 1 from TTL values. The packet has reached the third router (OMNISECU-ROUTER-3) now, on its way to the destination computer with a TTL value of IPv4 header as 1. Original TTL value was 3, but was decremented 1 two times at two routers and became 1 when it reached the third router. The third router will discard the packet and will send back an ICMP Time Exceeded message to notify the source computer (JAJISH-PC-1) that the IPv4 datagram got discarded because the TTL (Time-to-Live) value of IPv4 header has expired.
The Wireshark capture screen shot of ICMP Time Exceeded message from the third router (OMNISECU-ROUTER-3) is copied below.
Since the ICMP Time Exceeded message is from 192.168.11.2 (source IPv4 address of IPv4 datagram carrying the ICMP Time Exceeded message from the third router) traceroute/tracert command tool can know the packet has reached up to 192.168.11.2. Traceroute/tracert command tool has received the IPv4 address of the interface of the third router facing the source computer (JAJISH-PC-1). Source computer also came to know that everything is in good shape till the third router (OMNISECU-ROUTER-3). The tracert command output at this point is copied below.
Step 4 - Tracert command will generate and send ICMP Echo Request message with TTL value as 4 to the destination
Again, the source computer (JAJISH-PC-1) generates and send next ICMP Echo Request message with TTL value of IPv4 header as 4 to the destination computer.
The Wireshark capture screen shot of ICMP Echo Request message with TTL value of IPv4 header as 4 is copied below.
Since the TTL value of IPv4 header is 4, the first router (OMNISECU-ROUTER-1), second router (OMNISECU-ROUTER-2) and the third router (OMNISECU-ROUTER-3) will forward the IPv4 datagram packet to next router in the path, after decrementing 1 from TTL values. The packet has reached the fourth router (OMNISECU-ROUTER-4) now, on its way to the destination computer with a TTL value of IPv4 header as 1. Original TTL value was 4, but was decremented 1 three times at three routers and finally became 1 when it reached the fourth router. Now, the fourth router (OMNISECU-ROUTER-4) will discard the packet and will send back an ICMP Time Exceeded message to notify the source computer that the IPv4 datagram got discarded because the TTL (Time-to-Live) value of IPv4 header has expired.
The Wireshark capture screen shot of ICMP Time Exceeded message from the fourth router (OMNISECU-ROUTER-4) is copied below.
Traceroute/tracert command tool at source computer has received the IPv4 address of the interface of the fourth router facing the source computer (JAJISH-PC-1), as 192.168.12.2. Everything is perfect for IPv4 datagram, on its way to destination computer (JAJISH-PC-2) till forth router (OMNISECU-ROUTER-4). The tracert command output at this stage is copied below.
Step 5 - Tracert command will generate and send ICMP Echo Request message with TTL value as 5 to the destination
Again, the source computer (JAJISH-PC-1) generates and send next ICMP Echo Request message with TTL value of IPv4 header as 5 to the destination computer.
The Wireshark capture screen shot of ICMP Echo Request message with TTL value of IPv4 header as 5 is copied below.
In this case, the TTL value of IPv4 header value is high enough to reach the destination comuter (JAJISH-PC-2). The fourth router will forward the ICMP Echo Request message to its connected subnet and finally will reach to the destination computer, 172.17.0.100. When it reaches the destination computer (JAJISH-PC-2), it will send back an ICMP Echo Reply message back to the source computer (JAJISH-PC-1).
The Wireshark capture screen shot of ICMP Echo Reply message received back at the source computer (JAJISH-PC-1) is copied below.
Once the traceroute/tracert program running at source computer has received ICMP Echo Reply message from the destination computer, it can make sure no link/router is down on the path to destination computer.
The final traceroute/tracert command output is copied below.
Incrementing the TTL value of IPv4 header by 1 will continue till ICMP Echo Reply message is received from destination computer or to maximum 30 hops (by default).
If any link/router is down on the way from source computer to destination computer, you will receive traceroute/tracert output as shown below.