- Traceroute send a probe packet with TTL of 1 to the destination.
- Each router decrements the TTL with 1 and if it hits zero the router will send back an ICMP TTL Exceed message to the Source.
- Next the TTL will be 2 and so on…
- When the Source receives a ICMP Unreachable message, the trace ends.
- Most traceroutes send 3 probe packet per hop to have a better measurement of RTT.
- Each probe are unique
- Most implementations use UDP packets with incrementing destination ports (ie.: Cisco traceroute)
- ICMP or TCP also can be used (ie.: windows tracert uses ICMP
- Each packet MAY be forwarded on a completely different path.
- This may be visible to the user as multiple IP’s for each hop, but it also can be completely invisible too.
The calculation of latency is actually the sum of:
- The time taken to forward the packet to the displayed router hop.
- The time taken for the router to generate an ICMP response packet
- The time taken for the ICMP packet to reach the sender.
This is the delay caused by the encoding of data as packets across the network. The faster an interface is the quicker this process occur.
This delay might be noticeable on low speed links.
Serialization delay can be caused by temporary high CPU utilization (ICMP packets are not considered important, so they will be processed later..). To distinguish whether it is temporary or permanent delay check the latency between hops.
If the latency persist across ALL future hops as well then you have a problem..
So if you see one hop with high latency and after that normal again that means the router generates ICMP slower. This doesn’t cause performance problem.
Delay caused simply by buffering… qos
This is the delay which shows how much time does the packet spent on the wire.
Obviously fiber is the best choice here.
Traceroute only shows the forward path. The only way to confidently analyze a traceroute is to have traceroutes in both directions!
example: 1 22.214.171.124 0.719 ms 2 126.96.36.199 0.574 ms 3 188.8.131.52 100.280 ms 4 184.108.40.206 101.876 ms 5 220.127.116.11 101.888 ms
- There could be congestion between hop 2 and hop 3.
- There might be asymmetric reverse path. (note: round trip)
The route back might have a congested circuit. To find this you need a trace from the other side!
It is also possible that every single hop has another route back. In this case you have to check every hop one by one. (ie.: below image, every color is a trace hop)
Multiple paths and Load balancing
example: 1 10.0.0.114 0 msec 10.0.0.121 0 msec 10.0.0.114 0 msec 2 10.0.0.225 8 msec 10.0.0.125 2 msec 10.0.0.225 8 msec 3 10.0.0.225 10 msec 10.0.0.226 10 msec 10.0.0.225 8 msec 4 * 10.0.0.226 8 msec *
The above example shows the different outputs of all 3 traceroute probes / hop.
Every probe is independent!!
MPLS ICMP Tunneling example
This might be weird because hops from 2 to 11 are part of a tunnel. The hops are visible (because the provider didn’t turn off TTL decrement) but the latency shows the delay from tunnel source to tunnel destination. So the traceroute probe fully goes through the tunnel at every hop.