How traceroute Works

traceroute packets

These are IP packets with a UDP transport packets with a TTL ( time to live ) set to 1. The reason they are sent to one is that once they reach the next hop IP, the packets will expire sending a Time Exceeded message back to the host that sent them.

What's the next hop IP

It gets the next hop IP from the source IP address received in the Time Exceeded packet. This is why the TTL is set to 1 so that it will expire on every successful attempt and return that IP address to the sending host.


Getting the Next Next Hop IP

To get the next hop after the previous one, all traceroute does is increment the TTL +1. So now when the UDP packet goes out it has a TTL of 2. Thus meaning once it reaches the second hop, if successful that device will also return a time exceeded response along with its source IP.
This process continues until the true destination is reached.

Knowing when it's arrived at the destination

Traceroute is able to determine the destination by getting an ICMP Port Unreachable message. It does this by picking a very unlikely UDP port number that should not match the hosts. When the host receives that non matching port number it will then generate that port unreachable ICMP response.