Advanced Tracing

Charly's Column – traceroute

Article from Issue 235/2020

Like every admin, Charly regularly uses the classic traceroute tool. If unfriendly digital natives interfere with an ICMP filter, he simply switches to a clever alternative like LFT.

Practically every admin uses the classic traceroute tool at more or less regular intervals. This gets me all the more irritated when I find myself in a hotel with a WiFi network where the admin has completely disabled ICMP. Apart from the fact that this causes more trouble than benefits in what is by definition a public network, it can be easily circumvented.

The first version of traceroute was written in 1988 by a certain Van Jacobsen – Van is his first name, not an honorific. To be able to trace the path of packets through the web, Jacobsen came up with a clever method. He sent test packets through the Internet to a defined destination and increased the time to live (TTL) value for each packet.

The first packet is assigned a TTL of one. Each router that transports the packet further reduces the TTL by one. Once the TTL reaches a value of zero, the router sends it back with an ICMP TTL exceeded message. By successively increasing the TTL, Jacobsen got the packets back from routers that were further and further away and was able to follow the path of the packet until it finally reached its destination.

This does not work if the remote peer suppresses ICMP messages. However, traceroute has evolved over the years. It has been able to use an alternative TCP-based method that relies on TCP SYN packets for quite some time. Figure 1 shows two traceroutes to the same destination, the BBC web server ( The first call gets stuck at some point, probably due to an ICMP filter. The second one uses TCP SYN packets – it gets to its destination unhindered.

Figure 1: Where the classic traceroute fails, a simple -T (for TCP-SYN) often does the trick.

Alternative traceroute tools, such as MTR [1], which continuously repeats the trace and thus helps to detect occasional packet losses, take things one step further. Another very interesting tool is Layer Four Traceroute (LFT [2]). It can handle other transport methods and thus makes it through most firewalls. In addition, it can output whose network blocks the packet is passing through, including the number of the autonomous system responsible for it (Figure 2).

Figure 2: Knows where it's going: LFT makes it through most firewalls and returns the network blocks it has passed through.

It is therefore worthwhile to take a closer look at the different traceroute variations – if only to keep your blood pressure down during your next hotel stay.


  1. "Sys Admin's Daily Grind: Step Counter" by Charly Kühnast, Linux Magazine, issue 119, October 2010, p. 47
  2. LFT:

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: My Traceroute

    Charly takes the name of the “My Traceroute” tool very literally. The journey is the reward for this alternative TTL-measuring utility.

  • The sys admin's daily grind: DNSDiag

    If some transactions take an inexplicably long time, you don't have to blame yourself for the delayed transmission of user data. Name resolution issues might be to blame. Sys admin Charly has three tools to study the DNS server.

  • Command Line: Network Diagnostic Tools

    Linux has the right tools to track down network errors and open the way for data packets.

  • The sys admin's daily grind: sshuttle

    When he doesn't want to deal with OpenVPN version conflicts or congestion control problems during TCP tunneling, Charly catches a ride on sshuttle.

  • Clever Tracker

    If you are a genuine admin, you will want to be able to google things at the command line. Charly uses googler for this; it has pretty useful capabilities despite the unimaginative name.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More