An Intro to Traceroute w/ Drawings

An Intro to Traceroute w/ Drawings

A lot of the time when we talk about internet privacy, we talk about what happens to our personal information after visiting a website. For instance, you might be aware that our search results are saved by Google, or that our browsing history is being tracked by advertisers across the internet.

But what about when our personal information is traveling along the wire from your computer to the website you’re visiting? What happens to your data before it reaches its destination? Who else gets to see it?

It’s no secret that the NSA along with your internet service provider collect internet traffic. If you use the internet anywhere in the world, I will generally assume that your traffic passes along a wire that is monitored by a corporation or a government agency.

There is a definite need for laws that regulate corporations and governments when it comes to valuing citizens’ privacy. But until that happens, did you know that you could monitor where your own traffic goes with a special computer program called Traceroute?

What is Traceroute?

Traceroute comes included with most computers. Apple, Linux distros, and Windows all have this. It’s a command-line program you can run to create a report of what places (aka gateways) your internet traffic visits before it reaches its final destination. Potentially, you can learn things such as whether or not your traffic is going through an NSA listening post.

Let’s get to it. If you were to open up a terminal and type:


or with windows:


you’ll get a nice little report that tells you where and who your internet traffic has visited before reaching

my traceroute report

Let’s break one of these down shall we?

single gateway reading

  1. (Yellow) - the first part is the gateway name. Just like some people give their router or wi-fi hotspot a name, companies give their gateways some really weird names. In this example the letters nyc and rr appear so you can guess its probably a New York City gateway from the RR Media company which provides internet services.

  2. (Green) - the second part is the IP address. An IP address is a number that is used to locate where in the world a computer or a router is - just like your home address. You can learn what your own IP address is or what others are using websites like this. This gateway’s IP address is and a search for it reports that it’s located somewhere near Broadway and Chambers St. in New York City.

  3. (Blue) - the third part indicates how long it took for your packet to reach this gateway. The timer is adjusted to count how long it took for the packet to reach the next gateway from the previous one; not the total time it took to reach the gateway from your computer.

    On gateway 8 in the first screenshot, there are three individual numbers (19ms, 22ms, 34ms) because Traceroute sends 3 different packets to each gateway for the sake of accuracy. Sometimes (like in gateway 9), you’ll see three different IP addresses and timestamps. This is because gateway 9 has multiple IP addresses and some of the packets visited different ones after visiting gateway 8.

If you wanted to visualize this report with a map, a new mapping tool (ixmaps) sprung up recently that can map and even show you when your traffic passes through the suspected listening posts for the NSA in America, so there’s that. Fun fact - the tool relies on using Traceroute to map your traffic too!

Sometimes, whistleblowers have helped make sense of the gateway names and what patterns to look for that would suggest your traffic is being passed to an NSA listening post, such as the (in)famous room 641A.

It’s believed that the NSA prefers to wiretap undersea or overland cables. In this case, Traceroute can’t tell you much because the data gets copied and saved from the cables that run between the gateways. Traceroute has no way of knowing what happens to your data before it reaches a gateway.

On the other hand, corporations are legally collecting information at all of their gateways too. This could mean that every gateway could be monitored by the government if corporations are asked to cooperate and hand over their records.

While none of this is very good news, I was very excited to learn about Traceroute because it’s a tool that anyone can use to monitor their traffic and potentially gather evidence of the (one day, illegal) corporate and government surveillance that’s pervasive in our lives.

So, how does Traceroute work? I did some reading about it from the manual with man traceroute. Then, I made these drawings with to share with you all some of the details about what I learned!

How does Traceroute work?

When a data packet is born on your computer, before it’s sent across the internet, it’s given a limited lifespan at birth called a time-to-live (TTL) or a hop-limit. 

data packet born

A TTL (or hop-limit) is just a number which says how many stops it can make before it reaches its destination. If it doesn’t reach its destination before the number reaches 0, it’s supposed to “die”.

data packet journey

This is to make sure that a data packet can’t live forever and take over the world if it fails to reach its destination.

data packet takes-over-world

If a data packet dies before reaching its destination, the internet is nice enough to write it an obituary (because the internet cares for and loves all things, especially it’s data packets!)

This obituary is called an ICMP (Internet Control Message Protocol) TIME_EXCEEDED response and it gets sent back to your computer telling you where (gateway name / IP address) and when your poor data packet died.

data packet dies

The people who wrote Traceroute thought this could be very useful if you wanted to learn about all the stops your data makes on its journey from point  A (your computer) to point B (the website you’re visiting).

engineer idea

So Traceroute works by sending a data packet with a TTL / hop-limit of 1 and seeing where it dies. Then it sends another with a TTL / hop-limit of 2 and sees where IT dies, and so on until it finally sends a packet that reaches its destination and doesn’t die.

Then it collects all the ICMP TIME_EXCEEDED responses (obituaries) and gives you a report of all the gateways all these packets visited.

engineer traceroute

All of these places are part of the INTERNET SUPER MEGASTRUCTURE - the big network of wires that gets your internet traffic from your computer to a website and back. Each stop is called an internet gateway that is basically a giant router that serves entire cities, regions, countries, and continents.

Most of these places belong to companies and are where your Internet service provider like Verizon or AT&T pass your data along.

At each of these places your data packets are collected and interrogated for information. 

transit tracking

Which is one of the reasons why HTTPS is important - it encrypts the content of your poor little data packets, but doesn’t hide where it came from and where its going.

Some things I’m trying to figure out.

  • How does someone figure out the owner of each internet gateway that comes up in a Traceroute report?

  • Is there a way you can choose which internet gateways you’d like to send your data through?

  • Do you have any more information you’d like to add? Any questions about what I wrote? Please leave it in the comments below!

Special thanks to @sa0un and @tenacioustek for their reviews and edits!


Because every coding blog needs a comments section.

Please keep comments respectful! Harassment and general arrogance will not be tolerated.