Understanding Traceroute: How It Works and Why Port Scanning Matters

When data travels across the Internet or a private network, it passes through many different pieces of hardware called gateways. These are typically routers but can also be switches, servers, or computers. Each of these devices is known as a hop.

When you see a star in the traceroute results, this usually indicates that a device at that hop is not configured to respond to pings or traceroutes. It doesn’t necessarily mean a connectivity issue at that gateway.

What is Traceroute?

Whether you’re looking to determine the owner of a website or simply trying to troubleshoot Internet issues, traceroute is a valuable tool to have in your arsenal. This computer network diagnostic utility allows you to map the path data travels across multiple devices and networks—particularly routers—to reach its destination.

The traceroute command works by taking advantage of a feature within an Internet Protocol packet known as the time to live (TTL). When a packet leaves your PC, it’s set with a TTL value 1. As the packet travels toward its destination, each device it encounters will decrement that TTL value by one until eventually reaching a point where the TTL expires and an ICMP Time Exceeded message is sent back to your PC.

Once your PC receives this message, it will log the first server encountered on the traceroute path as its location and display that host’s information in the traceroute command output. The next hops are listed in the order that your PC received the ICMP message from each router.

Each row in the traceroute output displays the number of hops, a round-trip time estimate in milliseconds, and the IP address or hostname for each device on the route. Any hops listed with an asterisk mean that the underlying device failed to respond to the traceroute request within the expected time, possibly due to a security issue or because the destination device isn’t configured to answer ping requests.

How Does Traceroute Work?

In its most basic form, traceroute sends User Datagram Protocol (UDP) packets from the system running it — the source computer — to the destination, which could be a server, router, or other network device. Each ping and traceroute step includes increasing the time for the packet to reach each router along the path, known as the round trip time (RTT).

The first iteration of the traceroute port only shows one router because the TTL is set to 1. The next iteration of the utility sets the TTL to 2, and so on, until it reaches the destination or an upper limit of 30 hops (which can be adjusted using different flags when the command is run). Each iteration of the utility prints a list of routers reached, their TTL values and the RTT experienced at each.

Administrators should run a traceroute when a network issue arises to see the results in normal conditions. It will give them a baseline to compare against when they try to diagnose an issue, as it’s easier to identify problems when the network is functioning normally. The results of a traceroute can help pinpoint an area where there may be an issue, such as a network device that’s not responding or a router that has gone offline.

Why Should I Use Traceroute?

For many managed services providers (MSPs) and IT admins, traceroute is one of the first tools they turn to when troubleshooting network latency or connectivity problems. It’s a simple tool that anyone with access to a command prompt can run, and it can provide valuable information on how your data packets are traveling through the Internet.

Traceroute takes advantage of the Time to Live field in IP packets. This field specifies how long the routers in your network should keep a packet before they expire and drop it. Traceroute cleverly uses this to determine which routers are en route to your destination.

When you invoke the traceroute command, it sends a packet toward the specified destination, which can be either an IP address or a hostname. The output consists of a list of hops between your PC and the target, including each hop’s Round-Trip Time (RTT).

The first hop will receive the packet, decrement its TTL to 1, and then send an ICMP Time Exceeded message back to your PC. As more and more hops pass, the TTL decreases until the packet reaches the final server, where it’ll eventually get a reply from that server. At that point, your traceroute is finished. Note that this is okay; if the server responds appropriately, it may mean the server is down.

How Does Port Scanning Work?

Port scanning is a process that identifies open ports on a computer. According to the SANS Institute, it allows cybercriminals to discover services they can exploit.

Ports are points at which information exchange between programs and the Internet occurs. Each port is assigned a unique number that enables routing devices to send packets to the appropriate destination. In conjunction with an IP address, ports form vital information that enables computers to communicate with each other over the Internet.

Different ports have different characteristics. Some may be open, closed, or filtered; others respond differently to specific requests. By analyzing these differences, attackers can gain valuable information about a target environment, including the online status of computers, their applications, and their operating systems.

There are many ways to conduct port scans, each with advantages and disadvantages. For example, a vanilla scan (also known as a full-connect scan) attempts to connect to all 65,536 ports on a network by sending an SYN flag and evaluating whether each host will elicit an acknowledgment response (SYN-ACK). This method is accurate but easily detectable since most networks log full-connect interactions. Another popular technique, SYN scans (half-open scans), creates a partial connection with each port and evaluates the host’s response. It is more efficient and less likely to be detected by firewalls but is less reliable than vanilla or full-connect scans.