Here we will see the packets associated with traceroute when run on Linux OS.
Below is the output of traceroute to yahoo.com IP Address 74.6.143.25:
From the output, we can say yahoo.com is after 16 hops from the user machine.
Collected TCPDump can be opened in Wireshark, the machine sends three UDP datagrams with TTL value set as 1 in IP header.
Whenever a packet reaches a Layer 3 device, it reduces the TTL value by 1, and whenever the packet is received with TTL value as 1, it becomes 0 after reducing the value and whenever the TTL value becomes 0, it sends a Time-to-live exceeded ICMP response back to the machine:
The machine then takes a note of the senders IP Address and considers it as a hop in the path to reach the destination.
It then increases the TTL value to 2 and the process of noting down the senders IP Addresses repeats.
I have used a Wireshark filter to check the senders IP Addresses of ICMP Type 11 messages.
When the TTL value is set to 18, it reaches the destination IP Address and returns a different ICMP message - Destination unreachable Port unreachable.
The ICMP message Type 3 Code 3 suggests the traceroute is complete and no further UDP packets needs to be sent by the machine.
Notice how at the sixth hop, there are two different IP Addresses - 172.31.29.245 and 172.25.81.134, which could mean there is some sort of load balancing.
