Skip to content
MikroTik RouterOS Docs

MikroTik RouterOS Traceroute: Path Discovery and Diagnostics

MikroTik RouterOS Traceroute: Path Discovery and Diagnostics

Section titled “MikroTik RouterOS Traceroute: Path Discovery and Diagnostics”

RouterOS Version: 6.x / 7.x Difficulty: Beginner Estimated Time: 15 minutes

Overview

Section titled “Overview”

Traceroute reveals the path packets take to reach a destination by exploiting the TTL (Time-To-Live) mechanism. Each router in the path decrements the TTL, and when it reaches zero, the router sends back an ICMP “Time Exceeded” message. By incrementing the TTL with each probe, traceroute maps out every hop along the route.

Use traceroute to diagnose where packets are being dropped, identify routing problems, measure per-hop latency, and understand the path your traffic takes through the network.

How Traceroute Works

Section titled “How Traceroute Works”
Your Router                    Hop 1           Hop 2           Destination
    │                            │               │                  │
    ├─── TTL=1 ─────────────────►│               │                  │
    │◄── Time Exceeded ──────────┤               │                  │
    │                            │               │                  │
    ├─── TTL=2 ─────────────────►├──────────────►│                  │
    │◄── Time Exceeded ──────────────────────────┤                  │
    │                            │               │                  │
    ├─── TTL=3 ─────────────────►├──────────────►├─────────────────►│
    │◄── Port Unreachable / Echo Reply ──────────────────────────────┤
  1. Router sends packet with TTL=1
  2. First hop decrements TTL to 0, responds with ICMP “Time Exceeded”
  3. Router increments TTL and repeats
  4. Process continues until destination responds

Basic Usage

Section titled “Basic Usage”

Simple Traceroute

Section titled “Simple Traceroute”
/tool traceroute 8.8.8.8

Example Output:

 # ADDRESS         LOSS SENT LAST   AVG   BEST  WORST STD-DEV STATUS
 1 192.168.1.1    0%     3  1.2ms  1.1ms  1ms   1.2ms  0.1ms
 2 10.0.0.1       0%     3  8.5ms  8.3ms  8ms   9ms    0.5ms
 3 72.14.215.85   0%     3  12ms   11ms   10ms  12ms   1ms
 4 8.8.8.8        0%     3  14ms   13ms   12ms  14ms   1ms

Output columns:

  • # - Hop number (TTL value)
  • ADDRESS - IP address of the responding router
  • LOSS - Percentage of probes that timed out
  • SENT - Number of probes sent to this hop
  • LAST - Most recent response time
  • AVG - Average response time
  • BEST/WORST - Minimum and maximum response times
  • STD-DEV - Standard deviation (consistency measure)

Traceroute with DNS Resolution

Section titled “Traceroute with DNS Resolution”

Show hostnames instead of just IP addresses:

/tool traceroute 8.8.8.8 use-dns=yes

IPv6 Traceroute

Section titled “IPv6 Traceroute”
/tool traceroute 2001:4860:4860::8888

Common Parameters

Section titled “Common Parameters”
ParameterDefaultDescription
protocoludpProbe protocol: icmp or udp
count3Number of probes per hop
size64Packet size in bytes (28-1500)
timeout1sWait time for response (1s-8s)
max-hops30Maximum number of hops to trace
src-addressautoSource IP for probes
vrfmainVRF instance (v7)
routing-tablemainRouting table (v6)
use-dnsnoResolve addresses to hostnames
dscp0QoS marking for probes
port33434Destination port for UDP probes

Protocol selection: UDP vs ICMP

Section titled “Protocol selection: UDP vs ICMP”
Protocol selection: UDP vs ICMP diagram

Default: UDP

Section titled “Default: UDP”
/tool traceroute 8.8.8.8 protocol=udp

UDP traceroute sends packets to high destination ports (33434+). When the packet reaches the destination, the target returns ICMP “Port Unreachable” since nothing is listening on that port.

Alternative: ICMP

Section titled “Alternative: ICMP”
/tool traceroute 8.8.8.8 protocol=icmp

ICMP traceroute sends Echo Request packets. The destination responds with Echo Reply.

When to use which:

  • Try UDP first (default)
  • If UDP shows timeouts at the destination but ping works, switch to ICMP
  • Some enterprise firewalls block UDP traceroute ports but allow ICMP

Advanced Usage

Section titled “Advanced Usage”

Specify Source Address

Section titled “Specify Source Address”

For routers with multiple interfaces, control which source IP is used:

/tool traceroute 8.8.8.8 src-address=192.168.1.1

This is important when you need the trace to match the path your actual traffic takes.

Traceroute in VRF (RouterOS 7)

Section titled “Traceroute in VRF (RouterOS 7)”
/tool traceroute 10.0.0.1 vrf=customer-vrf

Traceroute with Routing Table (RouterOS 6)

Section titled “Traceroute with Routing Table (RouterOS 6)”
/tool traceroute 10.0.0.1 routing-table=wan1
Section titled “Extended Timeout for High-Latency Links”

For satellite or congested links:

/tool traceroute 8.8.8.8 timeout=3s

More Probes for Better Statistics

Section titled “More Probes for Better Statistics”
/tool traceroute 8.8.8.8 count=10

Test with Larger Packets

Section titled “Test with Larger Packets”

Useful for detecting MTU issues along the path:

/tool traceroute 8.8.8.8 size=1472 protocol=icmp

QoS-Marked Traceroute

Section titled “QoS-Marked Traceroute”

Test the path for traffic with specific DSCP marking:

/tool traceroute 8.8.8.8 dscp=46

Reading Traceroute Output

Section titled “Reading Traceroute Output”
Reading Traceroute Output diagram

Successful Trace

Section titled “Successful Trace”
 # ADDRESS         LOSS SENT LAST   AVG   BEST  WORST
 1 192.168.1.1    0%     3  1ms    1ms   1ms   1ms
 2 10.0.0.1       0%     3  5ms    5ms   4ms   6ms
 3 8.8.8.8        0%     3  12ms   11ms  10ms  12ms

All hops responding with 0% loss - path is healthy.

Asterisks (Timeouts)

Section titled “Asterisks (Timeouts)”
 # ADDRESS         LOSS SENT LAST   AVG   BEST  WORST
 1 192.168.1.1    0%     3  1ms    1ms   1ms   1ms
 2                100%   3
 3 8.8.8.8        0%     3  12ms   11ms  10ms  12ms

Hop 2 shows asterisks (* * * or 100% loss) but the path works. This is normal - many ISP routers are configured not to respond to TTL exceeded messages to reduce CPU load.

Path Ends with Timeouts

Section titled “Path Ends with Timeouts”
 # ADDRESS         LOSS SENT LAST   AVG   BEST  WORST
 1 192.168.1.1    0%     3  1ms    1ms   1ms   1ms
 2 10.0.0.1       0%     3  5ms    5ms   4ms   6ms
 3                100%   3
 4                100%   3
 5                100%   3

If the trace times out at the end and never reaches the destination:

  • Destination may be down
  • Firewall blocking probe packets
  • Try different protocol (protocol=icmp)

Latency Anomalies

Section titled “Latency Anomalies”
 # ADDRESS         LOSS SENT LAST   AVG   BEST  WORST
 1 192.168.1.1    0%     3  1ms    1ms   1ms   1ms
 2 10.0.0.1       0%     3  50ms   45ms  40ms  50ms
 3 8.8.8.8        0%     3  12ms   11ms  10ms  12ms

Hop 2 shows higher latency than the final destination. This seems impossible but is actually common - routers prioritize forwarding packets over generating ICMP responses. The ICMP generation happens in the “slow path” and may be rate-limited.

Key insight: Focus on the destination latency, not intermediate hops.

Verification Examples

Section titled “Verification Examples”

Check 1: Verify Internet Path

Section titled “Check 1: Verify Internet Path”
/tool traceroute 8.8.8.8 count=5

Expected: Path completes to destination with reasonable latency.

Check 2: Compare UDP vs ICMP

Section titled “Check 2: Compare UDP vs ICMP”
/tool traceroute 8.8.8.8 protocol=udp
/tool traceroute 8.8.8.8 protocol=icmp

Expected: Both should show similar paths. If one fails and the other works, there’s protocol-specific filtering.

Check 3: Verify VRF Routing

Section titled “Check 3: Verify VRF Routing”
/tool traceroute 10.0.0.1 vrf=customer-vrf

Expected: Path should go through the VRF’s routing table, not the main table.

Troubleshooting

Section titled “Troubleshooting”

Problem: “All hops show asterisks”

Section titled “Problem: “All hops show asterisks””

Cause: Outbound ICMP or UDP blocked by local firewall.

Solution:

  1. Check firewall rules: /ip firewall filter print where chain=output
  2. Try different protocol: protocol=icmp or protocol=udp
  3. Verify basic connectivity: /ping 8.8.8.8

Problem: “Trace works until destination, then times out”

Section titled “Problem: “Trace works until destination, then times out””

Cause: Destination firewall blocks traceroute probes.

Solution:

# Try ICMP if UDP fails
/tool traceroute 8.8.8.8 protocol=icmp

If ping works but traceroute doesn’t, the destination is reachable but blocking traceroute specifically.

Problem: “Different path than expected”

Section titled “Problem: “Different path than expected””

Cause: Asymmetric routing, load balancing, or wrong source address.

Solution:

  1. Specify source address to match real traffic: 
    /tool traceroute 8.8.8.8 src-address=YOUR_WAN_IP
  2. Check routing table: /ip route print where dst-address=0.0.0.0/0
  3. For multi-WAN, use the correct routing table/VRF

Problem: “Inconsistent results between runs”

Section titled “Problem: “Inconsistent results between runs””

Cause: Load-balanced paths (ECMP) use per-flow hashing.

Solution: This is expected behavior. Each traceroute may take a different path through load-balanced links. Use the same source/destination port combination for consistent results.

Problem: “VRF traceroute doesn’t work” (RouterOS 7)

Section titled “Problem: “VRF traceroute doesn’t work” (RouterOS 7)”

Cause: Using wrong parameter name.

Solution: RouterOS 7 uses vrf, RouterOS 6 uses routing-table:

# RouterOS 7
/tool traceroute 10.0.0.1 vrf=my-vrf


# RouterOS 6
/tool traceroute 10.0.0.1 routing-table=my-table

Common Pitfalls

Section titled “Common Pitfalls”

1. Misinterpreting Asterisks

Section titled “1. Misinterpreting Asterisks”

Wrong: “Hop 3 shows * * *, there’s a problem at hop 3”

Right: Asterisks just mean that router doesn’t respond to TTL exceeded. If later hops respond, the path is working.

2. Judging Latency by Intermediate Hops

Section titled “2. Judging Latency by Intermediate Hops”

Wrong: “Hop 2 has 50ms latency, that router is slow”

Right: ICMP generation is low-priority. Only the final destination latency is meaningful for diagnosing actual traffic performance.

3. Expecting to See Path Through NAT

Section titled “3. Expecting to See Path Through NAT”

Wrong: Expecting to trace the internal path of a remote network

Right: Traceroute can only see up to the NAT device. Internal hops behind NAT are invisible.

4. Forgetting Protocol Differences

Section titled “4. Forgetting Protocol Differences”

Wrong: Only trying UDP when debugging connectivity

Right: Always try both protocols if one fails:

/tool traceroute 8.8.8.8 protocol=udp
/tool traceroute 8.8.8.8 protocol=icmp

5. Using Default VRF When Testing Specific Path

Section titled “5. Using Default VRF When Testing Specific Path”

Wrong:

/tool traceroute 10.0.0.1  # Uses main routing table

Right:

/tool traceroute 10.0.0.1 vrf=customer-vrf

Firewall Considerations

Section titled “Firewall Considerations”

Allowing Traceroute to Your Router

Section titled “Allowing Traceroute to Your Router”

If you want remote hosts to be able to traceroute to your router:

# Allow ICMP Time Exceeded (for intermediate hops)
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=11:0 comment="ICMP Time Exceeded"


# Allow ICMP Echo Reply (for ICMP traceroute destination)
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=0:0 comment="ICMP Echo Reply"


# Allow UDP traceroute ports (for UDP traceroute destination)
/ip firewall filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="UDP Traceroute"

IPv6 Traceroute Firewall Rules

Section titled “IPv6 Traceroute Firewall Rules”
/ipv6 firewall filter add chain=input action=accept protocol=icmpv6 icmp-options=3:0 comment="ICMPv6 Time Exceeded"
/ipv6 firewall filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="UDP Traceroute"

Limitations

Section titled “Limitations”
  • NAT boundaries: Cannot see internal path of NATted networks
  • MPLS networks: May hide intermediate hops (label switching)
  • Load balancing: Different runs may show different paths
  • Rate limiting: Routers may rate-limit ICMP responses, causing apparent loss
  • Firewall blocking: Many networks block traceroute probes
  • Maximum 30 hops: Default limit, adjustable with max-hops
Section titled “Related Topics”

Troubleshooting Tools

Section titled “Troubleshooting Tools”

Monitoring

Section titled “Monitoring”

Routing

Section titled “Routing”

References

Section titled “References”