Network Administration: Understanding How tracert Works
Understanding how tracert works can provide some insight that may help you to interpret the results it provides. Plus, you can use this knowledge to impress your friends, who probably don’t know how it works.
The key to tracert is a field that’s a standard part of all IP packets called TTL, which stands for Time to Live. In most other circumstances, a value called TTL would be a time value — not in IP packets, however. In an IP packet, the TTL value indicates how many routers a packet can travel through on its way to its destination.
Every time a router forwards an IP packet, it subtracts one from the packet’s TTL value. When the TTL value reaches zero, the router refuses to forward the packet.
The tracert command sends a series of special messages called ICMP Echo Requests to the destination computer. The first time it sends this message, it sets the TTL value of the packet to 1.
When the packet arrives at the first router along the path to the destination, that router subtracts one from the TTL value, sees that the TTL value has become 0, so it sends a Time Exceeded message back to the original host.
When the tracert command receives this Time Exceeded message, it extracts the IP address of the router from it, calculates the time it took for the message to return, and displays the first hop.
Then the tracert command sends another Echo Request message: this time, with the TTL value set to 2. This message goes through the first router to the second router, which sees that the TTL value has been decremented to 0 and then sends back a Time Exceeded message.
When tracert receives the Time Exceeded message from the second router, it displays the line for the second hop. This process continues, each time with a greater TTL value, until the Echo Request finally reaches the destination.
The Unix/Linux traceroute command uses a slightly different set of TCP/IP messages and responses to accomplish the same result.