PublishedApril 2, 2026

Traceroute Command: Tips for Troubleshooting Connectivity Problems

Ready to start learning?

When a user says, “The site is down,” the fastest mistake is to guess. Traceroute gives you evidence. It shows the path packets take across the network, hop by hop, so you can see where delay starts, where traffic disappears, and whether the break is inside your LAN, at the ISP edge, or somewhere farther away. For network admins, help desk teams, and systems engineers, that makes traceroute one of the most useful first-line troubleshooting tools available.

It is especially helpful when you need to diagnose packet loss, high latency, routing loops, and destinations that do not respond at all. If DNS resolves correctly but the application still fails, traceroute helps narrow the problem to a path, a hop, or a policy decision. It will not fix anything by itself. It tells you where to look next, which is often the difference between a quick resolution and hours of blind testing.

There is one important caveat: traceroute results are not always identical from run to run. Firewalls, load balancing, and ICMP filtering can change what you see. That is normal. The skill is not just running the command. The skill is reading the output in context and knowing when a timeout is meaningful and when it is just a filtered response.

Understanding How Traceroute Works

Traceroute works by sending probe packets with gradually increasing TTL values, or Time To Live. Each router that forwards the packet decreases the TTL by one. When the TTL reaches zero, the router discards the packet and sends back an ICMP Time Exceeded message. That reply reveals the router’s address and confirms one hop along the path.

This is why traceroute can map a route without needing administrative access to every device in the path. It does not ask routers to cooperate beyond sending a standard error response. The result is a hop-by-hop view that usually includes the hop number, the host name or IP address, and one or more round-trip time measurements in milliseconds.

On Linux and macOS, the command is usually traceroute. On Windows, the equivalent tool is tracert. The behavior is similar, but the default probe type often differs. Many Unix-like implementations use UDP probes by default, while Windows traditionally uses ICMP Echo Requests. That difference matters when firewalls treat UDP, ICMP, and TCP differently.

The final destination may also respond differently depending on the protocol and firewall rules. Some hosts answer ICMP but block UDP. Others allow TCP to a service port but ignore everything else. That is why a traceroute can succeed partway and still fail to show the final hop clearly.

Hop number: the sequence position in the route.
Host/IP address: the router or device responding at that hop.
Round-trip times: how long each probe took to get a response.

Note

Traceroute shows the path of probe packets, not a perfect diagram of every application flow. That distinction matters when NAT, MPLS, load balancing, or security appliances are in the path.

When Traceroute Is Most Helpful

Traceroute is most useful when connectivity exists, but performance or reachability is abnormal. A slow website, a VPN that connects but feels unstable, a remote server that times out, or a branch office that cannot reach a central application are all strong candidates. In each case, traceroute helps answer a simple question: where does the path stop behaving normally?

It is also valuable when DNS succeeds but the service still fails. If nslookup or dig resolves the name correctly and the browser still cannot load the site, the issue may be routing, filtering, or a problem beyond your local network. Traceroute helps separate name resolution from path reachability.

During an outage, it is especially useful to compare a normal path against an abnormal one. If yesterday’s route reached the destination in 12 hops and today’s route detours through an unexpected transit provider, you have a concrete lead. That is better than guessing whether the issue is local, ISP-related, or upstream.

Traceroute also complements other tools. ping confirms basic reachability and latency. pathping on Windows combines route discovery with packet loss analysis. DNS tools confirm name resolution. Together, these tools give a fuller picture than any single command can provide.

Use traceroute when latency spikes appear without an obvious local cause.
Use it to compare branch-office paths against headquarters paths.
Use it after a change window to validate whether routing still looks normal.

“A traceroute does not prove where the problem is. It proves where the evidence starts.”

Running Traceroute on Different Systems

On Linux, a common command is traceroute example.com. On macOS, the same syntax usually works. On Windows, use tracert example.com. If you need numeric output without reverse DNS lookups, many Linux and macOS versions support -n. That can make results faster and cleaner, especially when DNS is slow or broken.

Maximum hop count is another useful option. On Linux and macOS, -m sets the maximum number of hops. This is helpful when a route is long or when you want to avoid waiting through unnecessary probes. Some versions also let you choose packet type or destination port, which is useful when the failing application uses a specific protocol.

Privileges matter. Some traceroute implementations need sudo or administrator rights to send certain probe types or to use raw sockets. If you want more detailed packet behavior, or if the default command fails with permission errors, elevated privileges may be required.

One practical alternative is mtr, which combines traceroute and ping-style monitoring. It is especially useful when you need continuous route and loss analysis instead of a one-time snapshot. That makes it a strong choice for intermittent issues.

Platform	Common Command
Linux	traceroute example.com
macOS	traceroute example.com
Windows	tracert example.com

Different implementations may use ICMP, UDP, or TCP probes. That matters because the network may treat each one differently. If a service fails over TCP 443, a TCP-based traceroute is often closer to the real traffic pattern than a default UDP probe.

Reading Traceroute Output Correctly

Traceroute output is read top to bottom. Each line is one hop, and hop order tells you how far the packet progressed before it received a reply or timed out. The first hop is usually your local gateway, followed by upstream routers, then transit networks, and eventually the destination.

The latency values on each line are the round-trip times for the probes sent to that hop. When latency stays low for several hops and then suddenly jumps, that is often the first sign of congestion, a long detour, or a slower segment of the path. The key is to look for the point where the trend changes, not just the single largest number.

Asterisks mean the probe did not get a response in time. That does not automatically mean failure. Many routers deprioritize or block traceroute responses while still forwarding traffic normally. A hop with stars can be harmless if later hops still respond.

The most important question is simple: does the path keep progressing toward the destination? If hop 8 responds and hop 9 never appears, the break is likely somewhere after hop 8, not before it. If the destination is reached but a middle hop is slow, that middle hop may just be rate-limiting control-plane replies.

Warning

Do not assume the slowest hop is the broken hop. A router can respond slowly to traceroute while forwarding user traffic at full speed.

Normal pattern: stable latency with no unexplained gaps.
Suspicious pattern: sudden latency jump that persists in later hops.
Incomplete path: stars begin and the destination never appears.

Common Problems Traceroute Can Reveal

Traceroute is good at exposing route changes that increase latency unexpectedly. If traffic that normally stays within a regional backbone suddenly detours through a distant city or another provider, the hop list will usually show it. That kind of detour often points to a routing policy issue, a bad advertisement, or a peering problem.

It can also reveal a hop that stops responding because of filtering or firewall rules. That does not always mean the network is broken. It may simply mean the device is configured to ignore TTL-expired messages, or that a security appliance is blocking the probe type. The real clue is whether later hops still respond.

Asymmetric routing is another common discovery. Your outbound path may go one way, while return traffic takes a different path. Traceroute usually shows only the forward path from the source. If the forward path looks fine but the application still fails, asymmetric routing may be affecting return traffic or stateful firewalls.

Traceroute can also show congestion. If the first few hops are fast and later hops begin showing spikes, the issue may be on an upstream link or within a transit provider. Misconfigured gateways, broken peering links, and upstream outages often show up as sudden path changes or complete stops at a specific boundary.

Unexpected detour to a distant transit provider.
One hop that times out while later hops still respond.
Latency spikes that begin at the same hop across repeated tests.
Traffic that reaches the ISP edge but not the destination network.

Traceroute Limitations and Pitfalls

Routers often deprioritize or block ICMP responses, so traceroute can make a healthy path look worse than it is. A hop that shows stars may still be forwarding traffic normally. That is why you should never treat a single timeout as proof of an outage.

Load balancing can also produce inconsistent results. If multiple equal-cost paths exist, different probe packets may take different routes. One run may show hop A, the next may show hop B. That is not necessarily instability. It may simply be the network doing equal-cost multipath forwarding.

Traceroute shows the path of the probe packets, not always the exact path of the application session. A browser connection, a VPN tunnel, and a database transaction may all use different ports and different policy rules. NAT, MPLS, and security appliances can obscure visibility or hide intermediate devices entirely.

That is why context matters. If a destination times out at hop 10, but you can still reach the service from a different network, the issue may be policy-based, not a universal outage. If you are studying networking fundamentals, this is where the OSI model, LAN, VLAN, NAT, and subnetting concepts become practical. Traceroute helps you see how traffic moves across those layers and boundaries, even when the output is incomplete.

ICMP filtering can hide otherwise healthy devices.
Load balancing can create different paths across runs.
NAT and MPLS can obscure the real internal route.
Application traffic may behave differently from probe traffic.

Best Practices for Effective Troubleshooting

Start with a baseline traceroute during normal network conditions. Save it. When the next incident happens, compare the new output to the known-good path. That comparison often reveals the real change faster than any single test.

Run tests from multiple locations. If the problem appears only from one office, one VPN pool, or one cloud subnet, the issue is probably local or policy-related. If every location shows the same break, the problem is more likely upstream. This is especially useful when troubleshooting branch-office connectivity or remote server reachability.

Repeat traceroute several times. Intermittent problems often disappear on the second run if you only test once. Three or four runs give you a better picture of whether the issue is persistent or just momentary congestion. Pair those results with ping, packet capture, and log review for better evidence.

Documentation matters. Record the timestamp, source host, destination, network conditions, and any recent changes. If you are working in a team or handing the issue off to an ISP, that detail reduces back-and-forth and speeds up escalation. ITU Online IT Training emphasizes this kind of disciplined workflow because it saves time in real operations.

Key Takeaway

Baseline first, test from more than one location, and repeat the command before you draw conclusions. Good troubleshooting is pattern recognition, not guesswork.

Advanced Troubleshooting Techniques

For deeper analysis, use traceroute with the protocol that matches the failing application. If a web app fails over TCP 443, a TCP-based traceroute can be more relevant than a default probe. Some implementations let you specify ports or packet types, which helps you test the same policy path the application uses.

Comparing traceroutes from inside and outside the network boundary is one of the fastest ways to isolate firewall or routing issues. If the path works from outside but fails inside, internal policy or NAT may be involved. If it works inside but fails outside, the issue may be upstream or related to public routing.

Latency trends matter more than a single number. If hop 4 is the first place where delay rises and all later hops stay high, hop 4 is where the problem likely begins. If delay appears and then disappears, the issue may be transient congestion or control-plane rate limiting rather than a forwarding problem.

mtr is useful when you need continuous monitoring and loss visualization. It combines route discovery with repeated probes, which makes it better than a single traceroute for intermittent packet loss. During incident response, traceroute can also validate whether a recent network change introduced a routing issue. That makes it a strong verification tool after maintenance windows.

Match probe type to the application protocol when possible.
Compare inside vs. outside paths to isolate boundary issues.
Use repeated runs or mtr for intermittent failures.
Validate routing after changes, not just before them.

Troubleshooting Examples and Scenarios

Consider a case where local connectivity is fine, but traceroute stops at the first ISP hop. That usually suggests your LAN is healthy, your gateway is working, and the break is upstream. The next step is to test from another circuit or contact the provider with the hop details and timestamps.

Now imagine one intermediate hop times out, but later hops still respond normally. That is often just a router that filters traceroute responses. If the destination is reachable and latency is stable, the missing hop is probably not the problem. This is a common mistake for junior admins who assume every star means failure.

In another scenario, traceroute reveals a long detour caused by routing misconfiguration. Instead of going directly to a nearby regional endpoint, the path crosses several extra networks and adds 80 milliseconds. That kind of detour can break interactive applications, voice, or remote desktop sessions even when the link is technically “up.”

VPNs create another layer of complexity. Before tunnel activation, the route may be direct. After the tunnel comes up, traffic may be forced through the corporate gateway, changing the path and the latency profile. If users report that a service works off VPN but fails on VPN, traceroute helps show whether the tunnel policy or the routed path is the cause.

Finally, consider a destination reachable from one network but not another. That difference often points to filtering, asymmetric routing, or source-based policy. The destination itself may be fine. The path, source subnet, or security rule may be the real issue.

Scenario	What Traceroute Helps Prove
Stops at ISP hop	Local network is likely not the source of the failure
One hop times out	The device may be filtering probes, not dropping traffic
Unexpected detour	Routing policy or peering may have changed
VPN path changes	Tunnel policy may be altering traffic flow
Works from one network only	Source-based routing or firewall policy may differ

Conclusion

Traceroute is not a cure. It is a fast, practical diagnostic tool that narrows connectivity problems to a specific segment, hop, or policy boundary. Used well, it turns vague complaints into evidence you can act on. That is valuable whether you are checking a slow website, isolating a VPN issue, or confirming whether an ISP path changed after an outage.

The key is interpretation. Do not treat every timeout as a failure, and do not assume the slowest hop is the broken one. Read the output in context, compare it to a known-good baseline, and combine it with ping, DNS checks, packet capture, and logs. That approach gives you a much clearer view of what is actually happening on the wire.

If you want to build stronger troubleshooting skills, ITU Online IT Training can help you practice these workflows in a structured way. The more you work with traceroute, the faster you will move from guesswork to evidence-based diagnosis. That is the real payoff: fewer assumptions, better decisions, and faster resolution when the network stops behaving.

[ FAQ ]

Frequently Asked Questions.

What does the traceroute command actually show?

Traceroute shows the path that network packets take from your device to a destination host, one hop at a time. Each hop is typically a router or gateway that forwards the traffic along the route. By listing these intermediate steps, traceroute helps you see where packets are traveling normally and where they begin to slow down, fail, or stop responding. That makes it much easier to separate a local problem from an upstream routing issue.

In practice, the command is useful because it gives you evidence instead of guesses. If the first few hops are responding normally but later hops time out, the issue may be beyond your local network. If the trace fails immediately or shows unusual delay at the first hop, the problem may be inside your LAN, on your gateway, or with your local ISP connection. Traceroute does not fix the issue by itself, but it provides a clear starting point for deeper troubleshooting and helps you decide which team or provider should investigate next.

How can traceroute help identify where a connection is failing?

Traceroute helps identify the failure point by showing the last hop that responds successfully and the first hop that does not. If the trace reaches several routers and then starts returning timeouts, you can infer that the connection is likely breaking somewhere after the last visible hop. That does not always mean the traffic is completely blocked at that exact device, but it does show where the path becomes unreliable or unreachable from the perspective of the test. This is especially useful when users report that a website is unavailable, but only from certain networks or locations.

The command is also valuable because it can reveal where latency begins to rise. A sudden increase in response time at a specific hop may indicate congestion, packet loss, or a routing issue. If the delay appears only at the destination, the server itself may be overloaded. If the delay starts earlier in the path, the bottleneck may be in the network between you and the target. Used carefully, traceroute gives you a timeline of the route and helps narrow the problem to a local network, an ISP handoff, a transit provider, or the destination environment.

Why do some traceroute results show asterisks or missing hops?

Asterisks in traceroute output usually mean that a hop did not reply within the expected time window. That does not automatically mean the device is down or that traffic is blocked. Many routers are configured to deprioritize or ignore the probe packets used by traceroute, especially when they are busy forwarding normal traffic. In other cases, firewalls or security policies may prevent those devices from responding to diagnostic probes even though they are still passing traffic correctly. So a missing reply is often a visibility issue rather than a true outage.

It is important to interpret asterisks in context. If one hop does not respond but later hops do, the path is still functioning and the missing response may be harmless. If multiple consecutive hops stop responding and the destination is unreachable, that suggests a more meaningful problem. Traceroute is best used as a clue, not as a final verdict. Combine it with ping, DNS checks, service checks, and logs when possible. That way, you can distinguish between a router that is simply not answering probes and a real connectivity failure affecting users.

What is the difference between traceroute and ping?

Ping and traceroute are both network diagnostic tools, but they answer different questions. Ping checks whether a destination is reachable and measures round-trip time for packets sent directly to that host. It is useful for confirming basic connectivity and spotting packet loss or high latency. Traceroute, on the other hand, maps the route to the destination by showing each intermediate hop along the way. Instead of only telling you whether the endpoint responds, it helps you see where in the path a problem may be occurring.

In troubleshooting, ping is often used first to confirm that a host is up, while traceroute is used when you need more detail about where communication is breaking down. For example, if ping fails, traceroute can show whether the issue begins at your gateway, in the ISP network, or closer to the destination. If ping succeeds but users still complain about slowness, traceroute can help identify a specific hop with unusual latency. Together, these tools create a clearer picture of network behavior than either one can provide alone.

When should I use traceroute during network troubleshooting?

You should use traceroute when a connectivity problem is not obvious and you need to determine where the path is failing. It is especially helpful when users can reach some services but not others, when access works from one location but not another, or when a site feels slow and you need to know whether the issue is local or upstream. Traceroute is also useful during incident response, because it gives you a quick view of the network path without requiring access to the remote server or provider infrastructure.

It is often most effective as part of a broader troubleshooting workflow. Start with basic checks such as verifying the hostname, confirming DNS resolution, and testing reachability with ping or a browser. If those checks do not explain the issue, run traceroute to see the route and identify where responses change or stop. If needed, compare traces from different networks or devices to spot differences in routing behavior. That comparison can reveal whether the issue is isolated to one path, one ISP, or one region, which makes escalation much more precise and saves time for everyone involved.