This is a real-world traceroute to devdunia.com (185.199.108.153). Each row is one router hop. The color tells you what kind of network segment you're crossing and whether latency is normal.
| HOP | HOSTNAME | IP ADDRESS | RTT 1 | RTT 2 | RTT 3 | ANNOTATION |
|---|---|---|---|---|---|---|
| 1 | _gateway | 192.168.1.1 | 1.823ms | 1.654ms | 1.892ms | 🏠 HOME ROUTER Your WiFi/cable router. Always hop 1. <5ms is perfect — anything over 10ms here suggests WiFi interference. |
| 2 | 10.20.0.1 | 10.20.0.1 | 8.432ms | 9.123ms | 8.654ms | 📡 ISP FIRST HOP CGNAT device or your ISP's local aggregation router. 10.x.x.x is a private IP — typical for ISP CGNAT infrastructure. |
| 3 | (filtered) | — | * | * | * | 🚫 ICMP BLOCKED Router exists but drops ICMP probes. NOT a problem — traffic is flowing (hop 4 responds). Firewalls block ICMP by design. |
| 4 | isp-core-01.example-isp.net | 203.0.113.10 | 18.234ms | 17.891ms | 18.445ms | 🖧 ISP BACKBONE ISP core/backbone router. The jump from ~8ms to ~18ms means we crossed an ISP backbone segment — normal for regional routing. |
| 5 | 108.170.246.161 | 72.14.215.1 | 22.109ms | 21.876ms | 22.345ms | 🌐 PEERING POINT Transit/peering router where ISPs exchange traffic. 72.14.x.x belongs to Google's AS15169 — we've entered Google's network. RTT increase is minimal: good peering! |
| 6 | (filtered) | — | * | * | * | 🚫 ICMP BLOCKED Another filtered hop — completely normal inside CDN/cloud networks. Hop 7 responds, so traffic IS flowing. These stars are not packet loss. |
| 7 | 209.85.252.120 | 209.85.240.1 | 25.678ms | 26.234ms | 25.987ms | ☁️ CDN EDGE Google/CDN edge network router. 209.85.x.x is Google's backbone. We're close to the CDN PoP that serves the destination. |
| 8 | cdn-185-199-108-153.github.com | 185.199.108.153 | 31.456ms | 30.987ms | 31.123ms | 🏆 DESTINATION! GitHub Pages CDN endpoint. Total 8 hops, ~31ms round-trip = EXCELLENT. Reverse DNS confirms it's GitHub's CDN serving your page. |
Three stars are the most misunderstood part of traceroute output. Here's the truth:
"Stars mean the network is down or packets are being dropped. Something is broken!"
This is wrong. Stars by themselves tell you nothing about whether your connection works.
Stars mean that router didn't respond to the ICMP TTL-exceeded probe within the timeout. The router may have silently dropped the probe, or its firewall blocks ICMP responses entirely.
| Pattern | What it means | Action needed? |
|---|---|---|
3 * * * |
Hop 3 blocks ICMP, but hop 4 responds — traffic IS flowing through hop 3 | ✅ NO — completely normal |
5 * * * |
All hops from #5 onward show stars — the path stops here. Either a real outage or a strict firewall | ⚠ INVESTIGATE — try TCP traceroute |
1 router 1ms |
Multiple consecutive stars in the middle — but destination responds fine | ✅ NO — destination is reachable |
ICMP Time Exceeded messages can be used for network reconnaissance — they reveal internal IP addresses of routers. Many enterprise firewalls, cloud providers, and CDNs block outbound ICMP Time Exceeded to prevent disclosing their internal network topology. Load balancers (like AWS ELB or Cloudflare) also commonly show stars.
Each hop shows three RTT measurements (Round-Trip Time) — three separate UDP/ICMP probe packets sent one after another. Here's how to interpret them:
All three values close together — stable, uncongested path. This is ideal.
Middle value is much higher — jitter. Indicates congestion or QoS shaping on that hop.
One probe timed out, one very high — router rate-limits ICMP responses (lower priority traffic).
The command is named differently on Windows (tracert) vs Linux/macOS (traceroute), but they do the same thing.
⭐ mtr combines traceroute + ping into a live updating display showing packet loss % and average RTT per hop over time. Far superior for diagnosing intermittent issues.
💡 When UDP/ICMP traceroute shows all stars but the site loads fine, use TCP traceroute — firewalls often block UDP/ICMP but allow TCP on port 80/443.
traceroute is a clever hack. It exploits the IP TTL (Time To Live) field — a counter in every IP packet that prevents infinite routing loops. Here's the trick:
Send probe with TTL=1 — traceroute sends a UDP packet (or ICMP/TCP depending on flags) to the destination with TTL set to 1.
The very first router your packet hits (your home gateway) decrements TTL from 1 to 0.
When TTL hits zero, the router must discard the packet and send back an
ICMP Time Exceeded message to the sender.
That message comes from the router's own IP — so we've discovered hop 1's address and measured the round-trip time!
Send probe with TTL=2 — next probe has TTL=2.
Router 1 decrements to 1 and forwards it. Router 2 decrements to 0 and sends back ICMP Time Exceeded — revealing hop 2's address and RTT.
traceroute increments TTL by 1 each time: TTL=1, TTL=2, TTL=3 ... until the destination is reached.
Three probes per hop — traceroute sends 3 probe packets at each TTL value (the three RTT columns you see). This gives you a better picture of latency consistency and packet loss. If one probe times out (no ICMP reply within the timeout), that position shows *.
Destination finally responds — when the probe finally reaches the destination with TTL still > 0: UDP mode: the target sends back ICMP Port Unreachable (because the target UDP port is closed). ICMP mode: target sends back ICMP Echo Reply. TCP mode: target sends back TCP RST or SYN-ACK. traceroute detects this "destination reached" response and stops.
Why does the output show the complete path? — by the time traceroute is done, it has collected one router IP per TTL value — forming a complete map of the network path from your machine to the destination. This is the "route" that traceroute draws. If traffic follows asymmetric routes (different path outbound vs inbound), you only see the outbound path — the ICMP replies may come back on a completely different route.
TTL starts at 64 (Linux), 128 (Windows), or 255 (some routers). Each router decrements by 1. The TTL you see in the destination's packets tells you roughly what OS the target runs: 64 - hops ≈ Linux/macOS, 128 - hops ≈ Windows.
Network traffic often takes a different path from A→B versus B→A. traceroute only shows the forward path. RTT increases you see include the return path, which may cross different routers entirely.
traceroute stops after 30 hops by default. If the destination still hasn't responded, it gives up. Real internet paths rarely exceed 20 hops — 30 is plenty for almost all destinations.
Linux traceroute uses UDP by default (high port). macOS uses ICMP. Windows tracert uses ICMP. TCP mode (-T) is best for penetrating firewalls because TCP port 80/443 is almost always allowed.