How does tracert work (Windows)
August 13, 2009
Have you wondered how tracert actually works and what all the extra data means it reports back. When using the tracert utility, if you use a host name such as tracert microsoft.com the machine will do a dns lookup first to find the address. In the example below I did a tracert to 4.2.2.1.
What are the first column of numbers
The first row of number represents the hop count and the number of routed networks between you and the host.
What are the three numbers to the right of each hop.
These numbers are the round-trip times to that device to response to your request. What Windows does is use the TTL field in the IP Header to measure the hops between to the client and server.
Windows starts out sending a ping echo request packet with a TTL of 1 to the destination, when a router encounters the packet and begins to process the request it decriments the TTL by 1. When the TTL reaches 0 the router sends back a Time to live exceeded in transit error message. Windows will then two more packets with the same TTL and records the round trip time for that router. Next the Windows client will increment the TTL by 1 reaching each router until the packet finds it final destination and the Windows client recievies the echo reply.
Example: tracert in action
Example: Packet capture showing the echo requests and replies from the routers
Source Destination Protocol Info
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
First Router
192.168.255.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
192.168.255.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
192.168.255.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Second Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
96.252.170.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
96.252.170.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
96.252.170.1 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Third Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.105.142 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.105.142 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.105.142 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Fourth Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.28.233 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.28.233 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.28.233 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Fifth Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.19.30 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.19.30 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
130.81.19.30 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Sixth Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.86.69 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.86.69 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.86.69 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Seventh Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.81.145 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.81.145 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
152.63.81.145 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Eighth Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.127.189 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.127.189 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.127.189 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Nineth Router
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.103.34 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.103.2 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.68.103.2 192.168.255.3 ICMP Time-to-live exceeded (Time to live exceeded in transit)
Final Destination
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.2.2.1 192.168.255.3 ICMP Echo (ping) reply
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.2.2.1 192.168.255.3 ICMP Echo (ping) reply
192.168.255.3 4.2.2.1 ICMP Echo (ping) request
4.2.2.1 192.168.255.3 ICMP Echo (ping) reply
What are the names and number at the end of each line.
These are the names and ip addresses of the inside interface of the router the packet is trying to travese. This information is part of a two step process in which the Windows client does a reverse-lookup of the ip address returned during the Time to live exceeded in transit message. Once the client has this information the name and the ip address is displayed on the screen and the client goes on to the next hop.
* What happend I got a “*” and nothing displays after that
If you encounter a router that is configured to silently discard packets with TTLs of 0, the * is displayed in it place. This router may be configured to also filter packets by discarding all ICMP error messages passing through it making the display show the * for all subsiquent hops. If this filter is not in place the display may be fully populated in later hops.
Filed under: General News, TCP/IP | Comments (0)