traceroute(1M) traceroute(1M)
NAME
traceroute - output the route packets take to network host
SYNOPSIS
traceroute [-m maxttl] [-n] [-p port] [-q nqueries] [-r] [-s srcaddr]
[-g addr] [-t tos] [-v] [-w waittime] host [packetsize]
DESCRIPTION
The Internet is a large and complex aggregation of network hardware,
connected together by gateways. Tracking the route one's packets fol-
low (or finding the troublesome gateway that is discarding your pack-
ets) can be difficult. traceroute utilizes the IP protocol ttl (time-
to-live) field and attempts to elicit an ICMP TIMEEXCEEDED response
from each gateway along the path to some host.
Warning:
This command should be used for diagnostic purposes only.
The only mandatory parameter is the destination host name or IP
number. The default probe datagram length is 38 bytes, but this may be
increased by specifying a packet size (in bytes) after the destination
host name.
OPTIONS
-m maxttl
Set the maximum time-to-live (maximum number of hops) used in
outgoing probe packets to maxttl hops. The default is 30 hops
(the same default used for TCP connections).
-n Output hop addresses numerically rather than symbolically and
numerically (saves a nameserver address-to-name lookup for each
gateway found on the path).
-p port
Set the base UDP port number used in probes to port (default is
33434). traceroute hopes that nothing is listening on UDP ports
port to port+maxttl-1 at the destination host (so an ICMP
PORTUNREACHABLE message will be returned to terminate the route
tracing). If something is listening on a port in the default
range, this option can be used to pick an unused port range.
-r Bypass the normal routing tables and send directly to a host on
an attached network. If the host is not on a directly-attached
network, an error is returned. This option can be used to ping a
local host through an interface that has no route through it
(e.g., after the interface was dropped by routed).
Page 1 Reliant UNIX 5.44 Printed 11/98
traceroute(1M) traceroute(1M)
-s srcaddr
Use srcaddr as the IP address (which must be given as an IP
number, not a hostname) as the source address in outgoing probe
packets. On hosts with more than one IP address, this option can
be used to force the source address to be something other than
the IP address of the interface the probe packet is sent on. If
the IP address is not one of this machine's interface addresses,
an error is returned and nothing is sent.
-g addr
Enable the IP LSRR (Loose Source Record Route) option in addition
to the TTL tests. This is useful for asking how somebody else, at
IP address addr, reaches a particular target.
-t tos
Set the type-of-service in probe packets to the tos (default
zero). The value must be a decimal integer in the range 0 to 255.
This option can be used to see if different types-of-service
result in different paths.
Not all values of TOS are legal or meaningful. Useful values are
-t 16 (low delay) and -t 8 (high throughput).
-v Verbose output. Received ICMP packets other than TIMEEXCEEDED
and UNREACHABLEs are listed.
-q nqueries
Changes the number of probe packets (default 3 packets).
-w waittime
Set the time to wait for a response to a probe to waittime
seconds (default 3 seconds).
This program attempts to trace the route an IP packet would fol-
low to some Internet host by launching UDP probe packets with a
small ttl (time-to-live) then listening for an ICMP time exceeded
reply from a gateway.
It is advisable to start probes with a ttl of one and increase by
one until an ICMP port unreachable is returned (which means that
host has been reached) or a maximum is reached (the maximum
defaults to 30 hops and can be changed with the -m flag).
Three probes (changed with the -q flag) are sent at each ttl set-
ting and a line is output showing the ttl, the address of the
gateway and the round-trip time of each probe. If the probe
answers come from different gateways, the address of each
responding system will be output. If there is no response within
a 3 second timeout interval (changed with the -w flag), a * is
Page 2 Reliant UNIX 5.44 Printed 11/98
traceroute(1M) traceroute(1M)
output for that probe. If the destination host is not to process
the UDP probe packets, the destination port is set to an unlikely
value (if something on the destination is using that value, it
can be changed with the -p flag).
EXAMPLES
A sample command line and output might be:
[yak 71]% traceroute nis.nsf.net.
traceroute to nis.nsf.net (35.1.1.48), 30 hops max, 56 byte packet
1 helios.ee.lbl.gov (128.3.112.1) 19 ms 19 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 39 ms 19 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 39 ms 19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 39 ms 40 ms 39 ms
5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 39 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 40 ms 59 ms 59 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 59 ms
8 129.140.70.13 (129.140.70.13) 99 ms 99 ms 80 ms
9 129.140.71.6 (129.140.71.6) 139 ms 239 ms 319 ms
10 129.140.81.7 (129.140.81.7) 220 ms 199 ms 199 ms
11 nic.merit.edu (35.1.1.48) 239 ms 239 ms 239 ms
Note that lines 2 and 3 are the same. This is due to a buggy kernel on
the second hop system (lbl-csam.arpa) that forwards packets with a ttl
of 0 (a bug in the distributed version of 4.3BSD).
A more interesting example is:
[yak 72]% traceroute allspice.lcs.mit.edu.
traceroute to allspice.lcs.mit.edu (18.26.0.115), 30 hops max
1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 19 ms 19 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms 19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 19 ms 39 ms 39 ms
5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 20 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms
12 * * *
13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 ALLSPICE.LCS.MIT.EDU (18.26.0.115) 339 ms 279 ms 279 ms
Page 3 Reliant UNIX 5.44 Printed 11/98
traceroute(1M) traceroute(1M)
Note that the gateways 12, 14, 15, 16 and 17 hops away either do not
send ICMP time exceeded messages or send them with a ttl too small to
get back to the sender. 14 - 17 are running the MIT C Gateway code
that does not send time exceeded messages. Nobody knows what is wrong
with 12.
The silent gateway 12 in the above may be the result of a bug in the
4.[23]BSD network code (and its derivatives): 4.x#_(x#_<= 3) sends an
unreachable message using whatever ttl remains in the original
datagram. Since, for gateways, the remaining ttl is zero, the ICMP
time exceeded is guaranteed not to make it back to the sender. The
behavior of this bug is slightly more interesting when it appears on
the destination system:
1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms 39 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 39 ms 19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 39 ms 40 ms 19 ms
5 ccn-nerif35.Berkeley.EDU (128.32.168.35) 39 ms 39 ms 39 ms
6 csgw.Berkeley.EDU (128.32.133.254) 39 ms 59 ms 39 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 rip.Berkeley.EDU (128.32.131.22) 59 ms! 39 ms! 39 ms!
Note that there are 12 gateways (13 is the final destination) and
exactly the last half of them are missing. What is really happening is
that rip is using the ttl from our arriving datagram as the ttl in its
ICMP reply. So, the reply will time out on the return path (with no
notice sent to anyone since ICMPs are not sent for ICMPs) until we
probe with a ttl that is at least twice the path length. That means
that rip is really only 7 hops away. A reply that returns with a ttl
of 1 is a clue that this problem exists. traceroute outputs a ! after
the time if the ttl is <= 1. Since vendors often ship obsolete or
non-standard software, expect to see this problem frequently and/or
take care picking the target host of your probes.
Other possible annotations after the time are:
- !H, KN, !P
(received a host, network or protocol unreachable, respectively)
- !S or !F
(source route failed or fragmentation needed - neither of these
should ever occur and the associated gateway is down if you see
one)
Page 4 Reliant UNIX 5.44 Printed 11/98
traceroute(1M) traceroute(1M)
If almost all the probes result in some kind of unreachable, tra-
ceroute will give up and exit.
traceroute-g 10.3.0.5 128.182.0.0
shows the path from the Cambridge Mailbridge to PSC while
traceroute-g 192.5.146.4-g 10.3.0.5 35.0.0.0
on the other hand, shows how the Cambridge Mailbridge reaches Merit,
by using PSC to reach the Mailbridge.
This program is intended for use in network testing, measurement and
management. It should be used primarily for manual fault isolation.
It is unwise to use traceroute during normal operations or from
automated scripts due to the load it could impose on the network.
SEE ALSO
netstat(1M), ping(1M).
Page 5 Reliant UNIX 5.44 Printed 11/98