Understanding how Traceroute works using wireshark

When we are connecting to a website, we are going through different hops or routers. Each time we connect to a website, the path taken could be different. So the hop count will also be different. Using Traceroute, we can determine the path traversed. Traceroute uses a very intelligent method for this.



Evey packet has a TTL value associated with  it. Each time the packet reaches a hop, its TTL value is decreased by 1. So, if a packet has TTL=4, the packet is dropped after 4 it reaches the 4th router.

In traceroute, first a packet to the destination is sent with TTL=1. So it reaches router 1 and since its TTL value reaches 0, the router sends an error message. Then a second packet is sent with TTL=2. This will reach router 2 which sends an error message. This is continued untill the destination is reached. So every router in between will send a timeout message by which traceroute determines the path. Now lets take a look at the packets using wireshark.

By default, in Windows tcptrace uses ICMP packets. So I will add an ICMP filter to wireshark.

You can see all the hops. Now lets take a look at wireshark.

 You can see all the Time to live exceeded packets. Now lets see the difference when we use traceroute in Linux.
Linux offers much more options. Just type tracert and you can see all the options, some of which, I will meantion here.
-T                  use TCP packets
-U                  use UDP packets
-i                    device interface
-p                   use the specified destination port (make sure you use small p)

I will explain the uses of these options in my next post.