TRACEROUTE(8)
TRACEROUTE(8)



NNAAMMEE
       traceroute - print the route packets take to network
       host

SSYYNNOOPPSSIISS
       ttrraacceerroouuttee [
       --ddFFIInnrrvvxx ] [ --ff
       _f_i_r_s_t___t_t_l ] [ --gg
       _g_a_t_e_w_a_y ] [ --ii _i_f_a_c_e ]
               [ --mm max_ttl ] [ --pp _p_o_r_t ]
               [ --qq _n_q_u_e_r_i_e_s ] [ --ss
               _s_r_c___a_d_d_r ] [ --tt _t_o_s ]
               [ --ww _w_a_i_t_t_i_m_e ] _h_o_s_t
               [ _p_a_c_k_e_t_l_e_n ]

DDEESSCCRRIIPPTTIIOONN
       The  Internet  is  a large and complex aggregation
       of network hardware, connected together by
       gateways.  Tracking the route one's packets
       fol‐ low  (or  finding the miscreant gateway
       that's discarding your packets) can be difficult.
       _T_r_a_c_e_r_o_u_t_e utilizes the IP protocol
       `time  to  live' field  and  attempts to elicit an
       ICMP TIME_EXCEEDED response from each gateway along
       the path to some host.

       The only mandatory parameter is the destination host
       name or IP number.  The  default  probe  datagram
       length  is  40  bytes,  but  this may be increased
       by specifying a packet length (in bytes) after  the
       destina‐ tion host name.

       Other options are:

       --ff     Set  the  initial  time-to-live used in
       the first outgoing probe
              packet.

       --FF     Set the "don't fragment" bit.

       --dd     Enable socket level debugging.

       --gg     Specify a loose source route gateway
       (8 maximum).

       --ii     Specify a network interface to obtain the
       source IP address  for
              outgoing probe packets. This is normally only
              useful on a multi- homed host. (See the --ss
              flag for another way to do this.)

       --II     Use ICMP ECHO instead of UDP datagrams.

       --mm     Set the max time-to-live (max number of hops)
       used  in  outgoing
              probe  packets.   The  default is 30 hops
              (the same default used for TCP connections).

       --nn     Print hop addresses numerically  rather
       than  symbolically  and
              numerically  (saves a nameserver address-to-name
              lookup for each gateway found on the path).

       --pp     Set the base UDP port number used in probes
       (default is  33434).
              Traceroute  hopes that nothing is listening
              on UDP ports _b_a_s_e to _b_a_s_e  _+
              _n_h_o_p_s  _-  _1  at  the  destination
              host  (so  an   ICMP PORT_UNREACHABLE message
              will be returned to terminate the route tracing).
              If something is listening on a port  in  the
              default range, this option can be used to pick
              an unused port range.

       --rr     Bypass  the normal routing tables and send
       directly to a host on
              an attached network.  If the host is not on a
              directly-attached network,  an error is returned.
              This option can be used to ping a local host
              through an interface that has no route  through
              it (e.g., after the interface was dropped by
              _r_o_u_t_e_d(8C)).

       --ss     Use  the  following  IP address (which
       usually is given as an IP
              number, not a hostname) as the source address
              in outgoing  probe packets.   On  multi-homed
              hosts  (those  with more than one IP address),
              this option can be used to force the source
              address to be  something  other  than  the
              IP address of the interface the probe packet
              is sent on.  If the IP address is not one  of
              this machine's  interface addresses, an error
              is returned and nothing is sent. (See the --ii
              flag for another way to do this.)

       --tt     Set the
       _t_y_p_e_-_o_f_-_s_e_r_v_i_c_e in probe
       packets to the following  value
              (default  zero).   The  value  must  be
              a decimal integer in the range 0 to 255.
              This option can be used  to  see  if  different
              types-of-service  result  in  different  paths.
              (If you are not running 4.4bsd, this may be
              academic since  the  normal  network services
              like  telnet  and  ftp don't let you control
              the TOS).  Not all values of TOS are legal or
              meaningful - see the IP  spec for definitions.
              Useful values are probably `--tt _1_6'
              (low delay) and `--tt _8' (high throughput).

       --vv     Verbose output.  Received ICMP packets
       other than  TIME_EXCEEDED
              and UNREACHABLEs are listed.

       --ww     Set  the  time  (in  seconds)  to wait for
       a response to a probe
              (default 5 sec.).

       --xx     Toggle checksums. Normally, this prevents
       traceroute from calcu‐
              lating  checksums. In some cases, the operating
              system can over‐ write parts of the  outgoing
              packet  but  not  recalculate  the checksum
              (so  in  some  cases  the  default is to not
              calculate checksums and using --xx causes
              them to be calcualted). Note  that checksums
              are usually required for the last hop when
              using ICMP ECHO probes (--II).

       This program attempts to trace the route an IP
       packet would  follow  to some  internet  host  by
       launching  UDP probe packets with a small ttl (time
       to live) then listening for an ICMP "time exceeded"
       reply from  a gateway.   We  start  our  probes with
       a ttl of one and increase by one until we get an ICMP
       "port unreachable" (which means we got to  "host")
       or  hit  a  max (which defaults to 30 hops & can be
       changed with the --mm flag).  Three probes (change
       with --qq flag) are sent at each ttl setting and
       a line is printed showing the ttl, address of the
       gateway and round trip time of each probe.  If the
       probe  answers  come  from  different gateways,  the
       address  of each responding system will be printed.
       If there is no response within a 5 sec. timeout interval
       (changed with the --ww flag), a "*" is printed for
       that probe.

       We  don't want the destination host to process the
       UDP probe packets so the destination port is set to an
       unlikely value (if some clod  on  the destination is
       using that value, it can be changed with the --pp
       flag).

       A sample use and output might be:

              [yak 71]% traceroute nis.nsf.net.  traceroute
              to nis.nsf.net (35.1.1.48), 30 hops max, 38
              byte packet
               1  helios.ee.lbl.gov (128.3.112.1)  19 ms  19 ms
               0 ms 2  lilac-dmc.Berkeley.EDU (128.32.216.1)
               39 ms  39 ms  19 ms 3  lilac-dmc.Berkeley.EDU
               (128.32.216.1)  39 ms  39 ms  19 ms 4
               ccngw-ner-cc.Berkeley.EDU (128.32.136.23)  39
               ms  40 ms  39 ms 5  ccn-nerif22.Berkeley.EDU
               (128.32.168.22)  39 ms  39 ms  39 ms 6
               128.32.197.4 (128.32.197.4)  40 ms  59 ms  59
               ms 7  131.119.2.5 (131.119.2.5)  59 ms  59 ms
               59 ms 8  129.140.70.13 (129.140.70.13)  99 ms
               99 ms  80 ms 9  129.140.71.6 (129.140.71.6)
               139 ms  239 ms  319 ms
              10  129.140.81.7 (129.140.81.7)  220 ms  199
              ms  199 ms 11  nic.merit.edu (35.1.1.48)  239
              ms  239 ms  239 ms

       Note  that  lines 2 & 3 are the same.  This is due to
       a buggy kernel on the 2nd hop system - lbl-csam.arpa -
       that forwards packets with a  zero ttl  (a  bug in
       the distributed version of 4.3BSD).  Note that you
       have to guess what path the  packets  are  taking
       cross-country  since  the NSFNet  (129.140)  doesn't
       supply address-to-name translations for its NSSes.

       A more interesting example is:

              [yak 72]% traceroute allspice.lcs.mit.edu.
              traceroute to allspice.lcs.mit.edu (18.26.0.115),
              30 hops max
               1  helios.ee.lbl.gov (128.3.112.1)  0 ms  0 ms
               0 ms 2  lilac-dmc.Berkeley.EDU (128.32.216.1)
               19 ms  19 ms  19 ms 3  lilac-dmc.Berkeley.EDU
               (128.32.216.1)  39 ms  19 ms  19 ms 4
               ccngw-ner-cc.Berkeley.EDU (128.32.136.23)  19
               ms  39 ms  39 ms 5  ccn-nerif22.Berkeley.EDU
               (128.32.168.22)  20 ms  39 ms  39 ms 6
               128.32.197.4 (128.32.197.4)  59 ms  119 ms  39
               ms 7  131.119.2.5 (131.119.2.5)  59 ms  59 ms
               39 ms 8  129.140.70.13 (129.140.70.13)  80 ms
               79 ms  99 ms 9  129.140.71.6 (129.140.71.6)
               139 ms  139 ms  159 ms
              10  129.140.81.7 (129.140.81.7)  199 ms  180 ms
              300 ms 11  129.140.72.17 (129.140.72.17)  300
              ms  239 ms  239 ms 12  * * * 13  128.121.54.72
              (128.121.54.72)  259 ms  499 ms  279 ms
              14  * * * 15  * * * 16  * * * 17  * * * 18
              ALLSPICE.LCS.MIT.EDU (18.26.0.115)  339 ms  279
              ms  279 ms

       Note that the gateways 12, 14, 15, 16 & 17 hops away
       either don't  send ICMP  "time  exceeded"  messages
       or  send them with a ttl too small to reach us.  14 -
       17 are running the MIT C Gateway code that doesn't
       send "time exceeded"s.  God only knows what's going
       on with 12.

       The  silent  gateway  12 in the above may be the
       result of a bug in the 4.[23]BSD network code (and its
       derivatives):  4.x (x <=  3)  sends  an unreachable
       message  using  whatever ttl remains in the original
       data‐ gram.  Since, for gateways, the remaining ttl
       is zero, the  ICMP  "time exceeded"  is  guaranteed
       to  not make it back to us.  The behavior of this bug
       is slightly more interesting when it appears on  the
       destina‐ tion system:

               1  helios.ee.lbl.gov (128.3.112.1)  0 ms  0 ms
               0 ms 2  lilac-dmc.Berkeley.EDU (128.32.216.1)
               39 ms  19 ms  39 ms 3  lilac-dmc.Berkeley.EDU
               (128.32.216.1)  19 ms  39 ms  19 ms 4
               ccngw-ner-cc.Berkeley.EDU (128.32.136.23)  39
               ms  40 ms  19 ms 5  ccn-nerif35.Berkeley.EDU
               (128.32.168.35)  39 ms  39 ms  39 ms 6
               csgw.Berkeley.EDU (128.32.133.254)  39 ms  59
               ms  39 ms 7  * * * 8  * * * 9  * * *
              10  * * * 11  * * * 12  * * * 13
              rip.Berkeley.EDU (128.32.131.22)  59 ms !
              39 ms !  39 ms !

       Notice  that  there are 12 "gateways" (13 is the final
       destination) and exactly the last half of them are
       "missing".  What's  really  happening is  that  rip
       (a  Sun-3  running  Sun OS3.5) is using the ttl from
       our arriving datagram as the ttl in its ICMP reply.
       So,  the  reply  will time out on the return path
       (with no notice sent to anyone since ICMP's aren't sent
       for ICMP's) until we probe with a ttl that's at least
       twice the  path  length.  I.e., rip is really only 7
       hops away.  A reply that returns with a ttl of 1 is a
       clue  this  problem  exists.   Traceroute prints  a
       "!" after the time if the ttl is <= 1.  Since vendors
       ship a lot of obsolete (DEC's Ultrix, Sun 3.x) or
       non-standard  (HPUX)  soft‐ ware,  expect  to  see
       this problem frequently and/or take care picking the
       target host of your probes.

       Other possible annotations after the time are !!HH,
       !!NN,  or  !!PP  (got  a host,  network or protocol
       unreachable, respectively), !!SS or !!FF (source
       route failed or fragmentation needed - neither  of
       these  should  ever occur  and the associated gateway
       is busted if you see one), !!XX (commu‐ nication
       administratively prohibited), or !!<<NN>> (ICMP
       unreachable  code N).   If  almost  all  the  probes
       result in some kind of unreachable, traceroute will
       give up and exit.

       This program is intended for use in network  testing,
       measurement  and management.   It  should  be used
       primarily for manual fault isolation.  Because of
       the load it could impose on the network, it is unwise
       to use _t_r_a_c_e_r_o_u_t_e during normal
       operations or from automated scripts.

SSEEEE AALLSSOO
       pathchar(8), netstat(1), ping(8)

AAUUTTHHOORR
       Implemented  by  Van  Jacobson  from  a  suggestion
       by  Steve Deering.  Debugged by a cast of thousands
       with particularly cogent suggestions or fixes from
       C. Philip Wood, Tim Seaver and Ken Adelman.

       The current version is available via anonymous ftp:

              _f_t_p_:_/_/_f_t_p_._e_e_._l_b_l_._g_o_v_/_t_r_a_c_e_r_o_u_t_e_._t_a_r_._Z

BBUUGGSS
       Please send bug reports to traceroute@ee.lbl.gov.



4.3 Berkeley Distribution        22 April 1997
TRACEROUTE(8)
