Trace Network Paths in Linux
When a service slows or stops, guessing wastes time. We show a clear, repeatable way to get hop-level information so you can find the bottleneck fast.
Our approach pairs two simple tools that reveal each hop, timing, and address. That gives actionable route data you can share with upstream providers or internal teams.
We’ll cover installation, a baseline run, and how to read each hop — including when a tool needs elevated rights and when it does not. This practical intro gets you from question to clear evidence in minutes.
Key Takeaways
- You’ll get hop-by-hop timing and address details, not just reachability.
- Using both traceroute and a non-root tool gives broader coverage.
- Clear results speed root-cause analysis and support tickets.
- We focus on commands you can run now on production systems.
- Outputs provide the exact source data to share with providers or teams.
Why trace network paths in Linux matters right now
A sudden slowdown often hides a clear, measurable cause if you know where to look. We start with common, urgent scenarios so you can act fast.
Common scenarios: sudden slowness, timeouts, or unreachable services
Apps that slow without warning, intermittent timeouts, or a service that stops responding all happen in production.
Often ping still replies, but users see delays. That mismatch tells us the problem may sit between your system and the destination.
Ping vs traceroute/tracepath: reachability versus path visibility
Ping proves reachability. It does not show where packets slow or get dropped.
That’s why we use traceroute and tracepath. Both map the route and print hop-by-hop output with round-trip timings.
Tracepath usually runs without root, while traceroute offers advanced options when you need them.
- Use these tools to decide if the issue is local, at your provider, or beyond control.
- Capture repeatable output for teams or ISPs — show the problematic hop IP/name and rising RTTs as evidence.
Quick setup and prerequisites on popular Linux systems
Get the right tools installed now so you can act fast when a server shows problems.
Install traceroute on Debian/Ubuntu and RHEL/CentOS-family
On Debian/Ubuntu run: sudo apt install traceroute.
On RPM-based systems run: sudo yum install traceroute.
These commands add the utility you’ll use for advanced probes and protocol choices.
Confirm tracepath availability and basic permissions
Tracepath usually comes preinstalled and uses the sockets API, so it does not need sudo. That makes it handy when you can’t grant elevated rights.
Traceroute defaults to udp, but you can change the protocol with options for icmp or TCP. Some invocations will prompt for sudo because traceroute manipulates packets at a low level.
Verify your user can run these commands and that DNS name resolution works if you want names in output. On hardened servers, coordinate with security teams to allow outbound probes during incidents.
- Install both tools on admin workstations and jump hosts.
- Keep man pages and local docs updated for common options and defaults.
- Store tools on bastion hosts so traces run close to the affected router or server.
This lightweight setup is usually enough to start mapping routes to any target and to collect repeatable evidence for troubleshooting.
How traceroute works under the hood
Let’s unpack the mechanics that let traceroute build a hop-by-hop map. I’ll keep this practical—no deep theory, just what you need to read output and explain it.
TTL mechanics and ICMP replies
Each probe is a packet sent with a small ttl. The first router decrements that ttl. When ttl hits zero, that router drops the packet and sends back an ICMP “time exceeded” message.
Traceroute repeats probes with higher ttl values to discover the next router, hop by hop, until the destination replies. At the end the target usually answers with an error about the UDP port being unreachable—confirming the full path.
Protocols and when sudo matters
On many systems traceroute uses UDP by default, with ICMP available via -I and TCP via -T. Choosing raw packets or alternate protocols can require root because the tool crafts packet headers directly.
| Behavior | Why it matters | Practical note |
|---|---|---|
| TTL decrement | Reveals each router | Shows immediate upstream (first router) timing |
| ICMP time exceeded | Identifies hop address | Some devices suppress ICMP, causing gaps |
| UDP default probes | Triggers final unreachable at destination | Uses unused port to elicit response |
- Reverse DNS affects whether you see names or only addresses.
- Suppressed ICMP can mask hops—interpret asterisks accordingly.
trace network paths Linux with traceroute
Run one simple command and you’ll see each device between your host and the destination. That first probe gives a clear, repeatable view you can share with colleagues or an ISP.
Essential syntax and a first test
Use the basic command: traceroute <hostname_or_IP>. Try it against a known service to get your first full path map in seconds.
Key options for control and speed
- -n — skip DNS lookups to speed output and focus on raw addresses.
- -w <seconds> — set per-probe timeout when links are slow.
- -m <max_ttl> — cap the maximum number hops so traces finish quickly.
- -4 / -6 — force IPv4 or IPv6 to check dual-stack differences.
Reading traceroute output
Each line starts with the hop number. Next comes the router’s name or address and three round-trip time values by default.
Watch the time values across hops — growing RTTs often pinpoint where latency appears. Remember: traceroute sends three packets per hop by default, so variability shows intermittent problems.
Examples and practical tips
For a snappy, useful trace use: traceroute -n -w 2 -m 15 <destination>. This limits maximum number hops and lowers wait time per probe, giving fast, actionable output for on-call checks.
Tracepath basics for quick, non-root troubleshooting
For quick triage from a locked-down workstation, a simple path probe often answers the core question. We reach for this tool when we need a fast check without sudo.
Run a basic test like tracepath server01 to learn how many hops you traverse and whether timing stays steady. Add -p 8080 to test a specific service port, -m 42 to limit probes, or -n to skip DNS lookups for speed.
What the output shows and why it helps
Output prints hop number, an address or name, and a single round‑trip time per hop. It also reports MTU values discovered along the path—handy for spotting fragmentation issues early.
| Option | Effect | When to use |
|---|---|---|
| -m <number> | Limits number hops probed | Keep traces short during fast checks |
| -p <port> | Probes specific destination port | Validate a service rather than general reachability |
| -n | Skips DNS lookups | Speeds output and shows raw addresses |
| -6 | Forces IPv6 probes | Test v6-only connectivity |
- We use this tool for safe, non-root testing from help desks and admins with limited rights.
- Gaps or missing messages often mean the device ignored the probe—not necessarily a hard failure.
- Combine a quick path scan with a service check to decide if you need deeper diagnostics.
Diagnose real issues: from high latency to filtering
I start by scanning RTTs across adjacent hops to spot where latency first jumps. A steady rise that begins at one hop and continues downstream usually points to a bottleneck at or beyond that router.
Watch for lines with only asterisks. Those often mean timeouts caused by ICMP or UDP filtering, rate limits, or devices that silently drop probe messages. Don’t assume dropped probes equal dropped traffic—confirm downstream reachability first.
Load balancing can show multiple routers at the same hop number. That happens when equal-cost routes split your packets. Asymmetric routing can also make a hop look slow if the return path takes a different route.
Repeat traces a few times and note the first router to separate local issues from upstream provider problems. If you see inconsistent results, try changing protocol or port to determine whether filtering is protocol-specific.
| Output | Likely cause | Action |
|---|---|---|
| Rising RTT from hop N | Bottleneck at or beyond router | Correlate with traffic, repeat trace |
| Asterisks (*) | ICMP/UDP filtered or rate limited | Try different protocol/port |
| Different addresses on same hop | Load balancing | Run multiple probes, annotate output |
- Annotate output with concise notes—this helps routing teams act fast.
Advanced traceroute techniques for deeper analysis
A few extra options can turn a noisy, confusing output into clear, actionable information. I walk through targeted techniques that help you isolate filtering, fragmentation, and load balancing quickly.
Protocol and port testing
Verify whether a firewall blocks a service by testing TCP to the app port: traceroute -T -p <port> <dest>. If UDP replies are missing, switch to ICMP with -I to compare behavior.
Stability with more queries and focused ttl ranges
Use -q to increase probes per hop and reduce single-sample noise from load balancing. Limit the ttl range when you want to concentrate on a suspect segment and speed repeated checks.
MTU, fragmentation, and pairing with ping
Shrink probe sizes to spot fragmentation clues, then confirm with targeted ping tests that check PMTU. If TCP succeeds but UDP fails, treat that as strong evidence of ACLs or protocol-specific filtering.
- Run repeated traces and note any consistent outlier hop number — that’s your escalation point.
- Keep a short command set in your notes: -n -q 5 -w 2 for quick, reliable samples.
- Document results and the exact commands so on-call engineers can reproduce findings.
Cross-platform note: comparing Linux tools with Windows tracert
When Windows is the only endpoint, its built-in tracert command gives a fast, shareable route snapshot.
Tracert mirrors the TTL-incrementing method and shows hop address, name, and timing. It uses icmp only, so you cannot change the protocol or probe a specific port like you can with traceroute.
That simplicity makes tracert handy on a help desk machine or a Windows server with no extra tools installed. Run it to capture the hop sequence and save the output for escalation.
- Quick example: a tech runs tracert example.com to collect hop addresses and names for triage.
- If tracert returns asterisks because ICMP is filtered, try traceroute from a Linux or alternative system with TCP/UDP probes.
- Collect both Windows and traceroute outputs to compare whether the route differs by source or destination.
| Tool | Protocol | When to use |
|---|---|---|
| tracert | ICMP | Quick checks on Windows systems or desktops |
| traceroute | ICMP/UDP/TCP | Deep probes, port or protocol testing |
| Both | — | Save outputs to correlate router sequence and find consistent problem points |
Putting it all together for reliable, repeatable troubleshooting
A consistent command set and simple documentation turn ad-hoc probes into reliable evidence.
We recommend a short playbook: schedule baseline traceroute linux runs during normal ops, record the number hops and the default options you use, and save traceroute output with exact address and name snippets.
During incidents, run the same command set, compare round-trip time patterns along the path, and repeat probes to reveal load balancing or variance. Use ttl ranges to focus on a suspect node, and try alternate packets and ports to confirm filtering.
Capture annotated outputs in tickets, correlate from another source, and treat the playbook as living documentation—update commands, timeouts, and depth as your network evolves.
