When your internet connection stumbles, a remote server becomes unresponsive, or an application displays a sudden spike in latency, standard ping tests can only tell you half the story. While a ping measures whether a target host is reachable and how fast it responds, it provides zero visibility into the actual path your data takes to get there. To pinpoint exactly where a packet gets delayed, dropped, or misrouted across the complex topology of the web, you need to use a terminal traceroute.
The terminal traceroute command is one of the most fundamental and powerful utilities in a systems administrator's toolkit. By executing a traceroute command terminal query, you can map the entire journey of your packets, hop by hop, across local routers, internet service providers (ISPs), regional backbones, and international gateways. Whether you are running a macos traceroute terminal command to diagnose local Wi-Fi bottlenecks, executing an osx traceroute terminal query on legacy Apple hardware, or analyzing packet hops on a mobile device via a traceroute android terminal setup, this comprehensive guide will equip you with a deep, expert-level understanding of how to run, configure, and interpret traceroute commands.
In this diagnostic guide, we will cover how traceroute works under the hood, how to run it across various terminal environments, how to read its cryptic output columns, and how to utilize advanced flags to bypass modern firewall filtering.
How Traceroute Works Under the Hood: The Magic of TTL
To master the terminal traceroute, one must first understand the fundamental networking mechanics of the Internet Protocol (IP) header. Traceroute does not rely on a specialized, proprietary diagnostic protocol; instead, it exploits standard IP packet handling rules and ICMP (Internet Control Message Protocol) error reporting.
At the core of traceroute is a mechanism known as TTL, or "Time to Live." Despite its name, TTL is not a measure of elapsed time in seconds. Instead, it is an 8-bit integer field in the IP header that acts as a maximum hop counter. To prevent lost or misrouted packets from looping infinitely through circular routes and consuming internet bandwidth, every router that forwards a packet decrements its TTL value by exactly one.
If a router receives an IP packet with a TTL of 1, it decrements the value to 0. Since standard protocol rules forbid forwarding a packet with a TTL of 0, the router is forced to discard it. To notify the sender of this dropped packet, the router generates an ICMP "Time Exceeded in Transit" (Type 11, Code 0) error message and sends it back to the original source address. This error message contains the router's own IP address in its header.
Traceroute leverages this hop-by-hop dropping mechanism using a systematic, step-by-step approach:
- The First Probe: The terminal traceroute utility sends a batch of three packets destined for the target host with the TTL field set to 1.
- The First Hop: The very first router (typically your local Wi-Fi router or office gateway) receives these packets, decrements their TTL to 0, discards them, and sends back an ICMP Time Exceeded packet. Traceroute records the round-trip time (RTT) for these packets to return and resolves the router's IP and hostname.
- Incrementing TTL: The program then increments the TTL to 2 and sends another batch of three packets. These packets pass through the first router (which decrements the TTL to 1) and reach the second router. The second router decrements the TTL from 1 to 0, discards the packets, and returns an ICMP Time Exceeded packet. Traceroute records this as Hop 2.
- Reaching the Final Target: This process continues, incrementing the TTL by 1 with each consecutive step. Eventually, the packets reach the destination server itself. Because the destination server is the final target, it does not attempt to forward the packets. Instead, it processes them and sends back an ICMP Port Unreachable message (if using UDP probes) or an ICMP Echo Reply (if using ICMP probes), signaling to the traceroute utility that the trace is complete.
The Crucial Protocol Difference: UDP vs. ICMP
A common technical pitfall for network engineers is that different operating systems implement the traceroute command terminal utility using different network protocols:
- macOS, OS X, Linux, and Unix-like Systems: By default, the
traceroutecommand sends UDP (User Datagram Protocol) packets destined for high-numbered, unused destination ports (ranging from 33434 to 33534). It expects to receive ICMP "Time Exceeded" messages from intermediate routers, and an ICMP "Port Unreachable" (Type 3, Code 3) message from the final destination host. - Windows Systems: The Windows counterpart,
tracert, uses ICMP Echo Request packets (the same packet type used by ping) instead of UDP. It expects to receive ICMP "Time Exceeded" messages from intermediate routers, and an ICMP "Echo Reply" (Type 0) message from the final destination.
This division is critical to keep in mind. Many modern enterprise firewalls and cloud network security groups are configured to silently drop high-port UDP traffic, yet they may permit ICMP traffic (or vice versa). Consequently, you might run a terminal traceroute on a Mac and see nothing but timeouts, while a Windows machine on the exact same local network successfully resolves the path. Later, we will look at how to force your Unix terminal to use alternative protocols like ICMP or TCP to bypass these firewall filters.
Running Traceroute Across Different OS Terminals
Let's walk through the steps to execute a traceroute across all major desktop and mobile operating systems. Since operating system vendors have steadily removed vintage graphical network utilities, command line proficiency is now the industry standard.
macOS and OS X Terminal
For over twenty years, Mac users could rely on a native application named "Network Utility" to run diagnostic pings, port scans, and traceroutes via a standard GUI. However, Apple deprecated and completely removed Network Utility starting in macOS Big Sur. To perform these network tests on any modern Mac, utilizing the macos traceroute terminal is the default, native solution.
To run a traceroute on modern macOS or legacy Mac OS X:
- Launch the Terminal application. You can locate it inside Finder under
/Applications/Utilities/Terminal.app, or open it instantly using Spotlight search by pressingCmd + Space, typing "Terminal," and hitting Enter. - In the command prompt, type the base command followed by your destination domain or IP address, and press Enter:
traceroute google.com - The utility will immediately begin tracing the route. If you are troubleshooting legacy machines, this exact same command structure applies to any vintage osx traceroute terminal session.
Linux Terminal
Most modern Linux distributions come with the traceroute package pre-installed. However, if you are working with a minimal cloud server image (such as Ubuntu Server or Alpine Linux), the command may be missing. You can easily install it using your distribution's package manager:
- Debian / Ubuntu / Linux Mint:
sudo apt update && sudo apt install -y traceroute - RHEL / Rocky Linux / AlmaLinux / Fedora:
sudo dnf install -y traceroute - Arch Linux:
sudo pacman -S traceroute
Once installed, invoke the command in your terminal exactly like macOS:
traceroute example.com
Android Terminal
When troubleshooting cellular networks, carrier-grade NATs, or local mobile Wi-Fi, executing a traceroute android terminal check is incredibly valuable. Because Android does not ship with a user-facing command-line interface out of the box, you must choose one of the following methods to access terminal diagnostics:
Method 1: Using Termux (Recommended & No Root Required)
Termux is a highly popular, open-source terminal emulator and Linux environment wrapper for Android devices.
- Download and install Termux (available via F-Droid or GitHub).
- Open the Termux application on your Android device.
- Update your local repository and install the network utility package containing traceroute:
pkg update && pkg install -y dnsutils - Run your trace command:
traceroute google.com
Method 2: Using Android Debug Bridge (ADB)
If you are an app developer or have a desktop computer connected to your phone, you can run commands directly on the Android kernel via the ADB shell.
- Enable Developer Options and USB Debugging on your Android device.
- Connect your phone to your computer via a USB cable.
- Open your desktop terminal and confirm your device is detected:
adb devices - Launch the remote Android shell:
adb shell - Execute a ping command with incrementing TTLs, or run the native traceroute binary if compiled into your device's BusyBox configuration:
traceroute google.com
Method 3: Visual Trace Applications
If you prefer not to use a command line environment on a small touchscreen, you can download a robust traceroute application from the Google Play Store (such as "Intrace: Visual traceroute" or "PingTools"). These tools wrap command-line utilities in an easy-to-read graphical interface.
Windows Terminal (PowerShell / CMD)
While Windows uses the alternative binary name tracert, running it inside the modern Windows Terminal is simple. Open Windows Terminal (PowerShell or Command Prompt) and type:
tracert google.com
Decoding and Interpreting Traceroute Output
A terminal traceroute output can initially look like a chaotic wall of numbers and domains. Let's break down a realistic terminal response line-by-line to understand exactly what each piece of data tells us.
Here is a typical diagnostic output resolving to a remote website:
traceroute to example.com (93.184.216.34), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 1.214 ms 1.085 ms 1.012 ms
2 10.0.0.1 (10.0.0.1) 4.321 ms 3.945 ms 4.110 ms
3 96.120.12.133 (96.120.12.133) 12.450 ms 11.890 ms 13.120 ms
4 * * *
5 edge-router-01.ny.isp.net (198.51.100.22) 15.670 ms 14.230 ms 14.990 ms
6 93.184.216.34 (93.184.216.34) 16.110 ms 15.980 ms 16.012 ms
Let's analyze this step-by-step:
The Header Line:
traceroute to example.com (93.184.216.34), 64 hops max, 52 byte packetsThis tells us the destination host, its resolved IPv4 address, the safety limit of 64 hops (to prevent infinite loops), and the size of the outgoing probe packets (52 bytes).The First Column (Hop Number): The integer at the beginning of each line (1 through 6) represents the hop number, corresponding to the incremental TTL values used.
The Second Column (Hostname and IP): This displays the reverse DNS hostname of the router at that hop, followed by its physical IP address in parentheses. If reverse DNS lookup fails or is disabled, only the numerical IP address will be displayed.
The Next Three Columns (Round-Trip Times): Traceroute sends three separate probe packets for each hop. The three time readings (measured in milliseconds) show how long it took for each of those three packets to complete the round-trip journey. Comparing these three times is highly effective for detecting packet jitter or momentary routing delays.
The Asterisks (
* * *) on Hop 4: This is the most misunderstood feature of network traces. When a hop displays three asterisks, it simply means that the router at that hop failed to send back an ICMP reply within the timeout period. This can occur for several reasons:- Firewall Dropping: The router's firewall is explicitly configured to discard UDP or ICMP probes.
- ICMP Rate Limiting: The router is busy and prioritizing routing production data over diagnostic ICMP packets.
- Asymmetric Routing: The return path from that router to your computer is broken or blocked.
Crucial Rule: If subsequent hops (such as hops 5 and 6) resolve successfully with low latency, the asterisks on hop 4 are completely harmless. The network traffic successfully bypassed hop 4 to reach its final target; hop 4 simply chose not to talk back to your terminal.
Advanced Flags and Power-User Command Options
While running a standard traceroute <host> works well on simple networks, real-world troubleshooting often requires adjusting parameters. The traceroute command terminal binary features several extremely powerful switches that allow you to customize your diagnostics.
| Flag / Switch | Purpose | Unix Command Example | Windows Equivalent |
|---|---|---|---|
-n |
Disable reverse DNS lookups (speed up trace) | traceroute -n google.com |
tracert -d google.com |
-m <hops> |
Adjust maximum hops / TTL limit | traceroute -m 15 google.com |
tracert -h 15 google.com |
-w <secs> |
Adjust wait timeout per probe | traceroute -w 2 google.com |
tracert -w 2000 google.com |
-q <num> |
Change queries per hop (default is 3) | traceroute -q 1 google.com |
N/A |
-I |
Force ICMP Echo Request probes | sudo traceroute -I google.com |
Default behavior |
-T |
Force TCP SYN probes (bypass firewalls) | sudo traceroute -T google.com |
N/A |
-p <port> |
Define custom destination port | sudo traceroute -T -p 443 google.com |
N/A |
Let's examine how to use these advanced flags to solve difficult troubleshooting tasks:
1. Speed Up Traces with -n (Disable DNS Resolution)
By default, traceroute performs a reverse DNS lookup on every single intermediate hop to resolve a hostname. If a router's DNS server is sluggish or broken, your traceroute can stall for several seconds at each step. By appending the -n flag, you skip DNS resolution entirely, forcing the terminal to print only IP addresses. This frequently reduces trace execution times from minutes to seconds:
traceroute -n google.com
2. Bypass Firewalls with TCP Traceroute (-T and tcptraceroute)
Many modern corporate security appliances and public network routers block UDP packets on high ports and block standard ICMP pings. However, because these networks must allow web traffic to pass, they almost always permit TCP traffic on port 80 (HTTP) or port 443 (HTTPS).
By running a TCP-based traceroute, you can sneak your diagnostic probes through firewalls by making them look like normal web traffic. This is a game-changing tool for website administrators:
sudo traceroute -T -p 443 example.com
Note: Running TCP probes requires raw socket access, which is why you must prepend the sudo command on macOS and Linux.
3. Change Probe Protocols with -I (Force ICMP)
If you are tracing from a Mac or Linux terminal and suspect that UDP packets are being dropped by a local firewall, you can force the utility to use ICMP Echo Requests (matching the Windows behavior) with the -I flag:
sudo traceroute -I google.com
4. Optimize Output with -q 1 (Reduce Probe Count)
If you are conducting a massive trace across many hops and want to save network overhead, you can instruct traceroute to send only one probe packet per hop instead of three:
traceroute -q 1 google.com
Practical Troubleshooting Scenarios
How do you analyze raw traceroute data and translate it into actionable technical solutions? Let's review three common network troubleshooting scenarios.
Scenario A: Local Network Bottleneck (Local Link Issues)
1 192.168.1.1 (192.168.1.1) 185.234 ms 142.110 ms 164.082 ms
2 10.0.0.1 (10.0.0.1) 190.567 ms 175.120 ms 182.890 ms
- Analysis: The very first hop (your local router) displays exceptionally high latency (exceeding 150ms). This latency remains elevated on all subsequent hops.
- The Root Cause: Your local connection is congested. This is typically caused by poor Wi-Fi signal strength, local wireless channel interference, or someone on your local network saturating your bandwidth (e.g., executing a large download).
- The Action Plan: Restart your local router, connect your machine directly to your modem using a physical Ethernet cable, or switch your Wi-Fi channel to avoid local congestion.
Scenario B: ISP Congestion or Core Routing Issues
1 192.168.1.1 (192.168.1.1) 1.234 ms 1.110 ms 1.082 ms
2 10.0.0.1 (10.0.0.1) 4.567 ms 4.120 ms 3.890 ms
3 96.120.12.133 (96.120.12.133) 12.450 ms 11.890 ms 13.120 ms
4 comcast-backbone.chicago.il.net (96.110.32.221) 215.670 ms 244.230 ms 230.990 ms
5 destination-server.com (142.250.190.46) 216.110 ms 245.980 ms 231.012 ms
- Analysis: Hops 1, 2, and 3 are perfectly fast and healthy (under 15ms). However, at hop 4 (which belongs to a regional transit backbone or your ISP), the round-trip times suddenly skyrocket by over 200ms and remain high to the final destination.
- The Root Cause: This is a classic indicator of regional ISP congestion, a failing fiber link, or an unoptimized peering route between networks.
- The Action Plan: Since the bottleneck is completely outside your local network, you cannot fix it directly. However, you can save this terminal log, open a ticket with your ISP, and provide this data to show their tier-2 engineering department where the congestion point lies.
Scenario C: Complete Path Disruption (Unreachable Destination)
8 regional-gateway.net (198.51.100.45) 22.110 ms 21.980 ms 22.012 ms
9 * * *
10 * * *
... (all hops time out up to maximum)
- Analysis: The trace proceeds smoothly up to hop 8, but starting at hop 9, the trace completely dies and outputs only asterisks for all remaining hops.
- The Root Cause: This represents a network black hole. It typically means that a router in the path has crashed, a physical fiber cable has been severed, or there is an aggressive firewall routing rule blocking all outgoing traffic beyond that specific node.
- The Action Plan: If other websites load fine but this target remains unreachable, the destination server's network is likely experiencing an outage. Check the status of the destination platform or wait for their infrastructure engineers to resolve the routing failure.
Frequently Asked Questions (FAQ)
Why does macOS not have the Network Utility app anymore?
Apple removed the legacy graphical Network Utility application starting with macOS Big Sur to clean up deprecated components and encourage the use of native CLI commands. All features of the classic application are still fully functional and faster to execute directly from the macOS terminal using commands like ping, traceroute, nslookup, and whois.
How do I stop an active traceroute command from running in my terminal?
You can immediately stop any active CLI process (including traceroute) in macOS, Linux, or Windows by pressing the Ctrl + C keyboard shortcut on your keyboard. This sends a standard termination signal to the utility, returning you safely to your primary shell prompt.
Why do my traceroute tests start with asterisks on the first few hops?
This is highly common in fiber-to-the-home (FTTH) setups or secure corporate enterprise offices. The local modems, optical network terminals (ONTs), or security firewalls are explicitly programmed to ignore diagnostic probe packets for security reasons. As long as your traceroute successfully completes and resolves subsequent hops, local asterisks are completely harmless.
What is the difference between traceroute and ping?
Ping is a quick, point-to-point reachability test. It tells you whether a destination host is online and how fast it responds, but it treats the network path as a single black box. Traceroute, by contrast, opens that black box, mapping out every individual hop, enabling you to pinpoint exactly where delays or drops occur along the path.
Is running a traceroute safe for my network?
Yes. Running a traceroute is completely safe. It uses standard, passive IP network diagnostic headers and does not exploit security vulnerabilities or overload networks. It is a universal, standard troubleshooting technique used by thousands of IT support engineers every single day.
Conclusion
The terminal traceroute is one of the most reliable, essential diagnostics for diagnosing complex network paths. By learning how to invoke traceroute on macOS, Linux, and Android, understanding the mechanics of TTL, and utilizing advanced options like -n (to skip slow DNS lookups) and -T (to trace over secure TCP connections), you can locate and resolve latency bottlenecks anywhere in the world. Next time your connections stall, open your favorite terminal, launch a trace, and let the data point you directly to the source of the problem.
