1. Introduction
In this tutorial, we’ll learn what *** represents in the output of traceroute and how to find the actual cause of such a result.
2. Tracing a Route
When we connect to a website, our communication passes through a collection of routers. They have routing tables to decide where to forward incoming packets:
Although there are many paths from source to destination, a specific path (shown in red above) is chosen by the routers based on link congestion, capacity, and other constraints.
Most of the time, we don’t care about the actual path. However, if we face a problem in our communication, we’d like to know the specific routers our communication’s traveling through and the round-trip time from the source to each router in the path. For that, we can use traceroute.
3. Traceroute
Let’s trace the route to Google’s DNS server, whose IP address is 8.8.8.8:
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 MyRouter (68.87.192.226) 0.345 ms 0.264 ms 0.177 ms
2 68.87.192.227 (68.87.192.227) 9.291 ms 9.301 ms 9.324 ms
3 96.110.177.33 (96.110.177.33) 9.290 ms 9.342 ms 9.246 ms
4 162.151.78.129 (162.151.78.129) 9.154 ms 9.022 ms 9.080 ms
5 be-232-rar01.santaclara.ca.sfba.comcast.net (162.151.78.253) 8.701 ms 8.703 ms 8.662 ms
6 96.108.99.249 (96.108.99.249) 9.465 ms 13.033 ms 12.988 ms
7 be-299-ar01.santaclara.ca.sfba.comcast.net (68.86.143.93) 13.280 ms 9.685 ms 9.555 ms
8 96.112.146.26 (96.112.146.26) 10.052 ms 96.112.146.22 (96.112.146.22) 10.046 ms 96.112.146.26 (96.112.146.26) 9.469 ms
9 * * *
10 dns.google (8.8.8.8) 9.231 ms 9.126 ms 9.143 ms
In this listing, we see the number of hops (that is, the number of routers traversed), the IP address at each step, and the RTT (Round Trip Time) in milliseconds. When traceroute sends out a probing packet, it includes in it a Time to Live (TTL) field. Each router decrements TTL. If TTL is zero, the router returns a message to the source that includes the router’s IP.
Line 8 shows that some probes take different paths at the same step: the first and third probes go through 96.112.146.26, while the second probe goes through 96.112.146.22. This is because network conditions are constantly changing, which affects the routing tables. Here, the router 96.112.146.22 was a better choice for a brief period of time, so the previous one chose it in the second probe.
4. What Do Three Stars Represent?
On line 10 in the preceding output, we only see ***. What does that mean?
4.1. Some Routers Don’t Respond Because of the Overload
A router may be too busy to respond to the traceroute probe, which it considers a low-priority event. We can check if that’s the case by repeating traceroute for the same destination a few times.
If we get the same list of routers but don’t see *** anymore, then it was a temporary overload. Similarly, if the path changes, that’s probably because the router in question is under a heavy load, so it’s temporarily avoided by other routers in the network.
4.2. Some Routers Don’t Want to Respond
Some organizations configure their routers not to respond to traceroute because they don’t want to reveal details of their internal network. Let’s look at an example:
$ traceroute -n mit.edu
traceroute to mit.edu (23.202.69.116), 30 hops max, 60 byte packets
...
14 23.32.63.13 76.969 ms 75.976 ms 74.613 ms
15 23.207.239.37 74.207 ms 74.402 ms 74.315 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
We see that we got responses up to step 15, but not beyond that. The organization has set up its routers to not respond to traceroute, which gives up after 30 steps.
We won’t have any success even if we increase the max TTL (using -m), since no router beyond the one in step 15 will respond. A sequence of three-star hops that persists in repeated traceroute probes even if we increase TTL indicates that the routers don’t respond because their owners forbade them to.
5. Heuristics for Exploring a Network With traceroute
traceroute is a valuable tool for exploring a network connection. By default, it sends out three probes to the routers along the path from source to destination. Each router responds with its IP address and three round trip times (RTTs), one for each probe.
Sometimes, we may get one or more stars from a router in the output of traceroute. If we observe one or two stars, this usually means that the particular router is overloaded and didn’t respond to some of the traceroute probes. To verify this, we repeat the traceroute command. If the router appears without stars, we can say they were the result of a temporary transitory overload. If they remain, further stars appear, or we don’t see this particular router in repeated outputs, it’s probably under heavy load conditions.
Three stars can result from network congestion or the routers may be set up not to respond to traceroute. If the three stars persist when repeating the probes, it’s likely that the owner programmed the routers to remain anonymous for security reasons. We’ll typically encounter this as a sequence of hops as we saw above. The long sequence of *** represents the traceroute’s attempts to find routers along the path to the destination when the organization owning the routers has shielded them from outside probes.
6. Conclusion
In this article, we discussed the output of traceroute, and the meaning of stars in the output, in particular a sequence of three. One or two are usually the result of a router too overloaded to respond to a traceroute probe.
In contrast, if we get ***, that’s usually because routers are set up not to respond to traceroute probes for security. However, this isn’t always the case: heavy load conditions may cause *** as well. We can’t always know for sure what’s the case, but there are heuristics we can use.