trace (also known as traceroute on Unix systems or tracert on Windows systems) tries to discover the actual path a packet takes to a selected destination. On Unix, it accomplishes this by using the TTL (Time to Live) field of a UDP packet. On Microsoft platforms, ICMP is used instead of UDP. The TTL is the number of hops a packet is allowed to take before the network gives up the delivery attempt and returns an error message to the sender. Each hop through a router decrements the TTL counter until the TTL hits 0, at which time the router returns the packet to the originator with a “TTL expired” error. Three packets are sent for each TTL, because there’s no guarantee that all will make the journey.

trace starts by sending a packet to a UDP port on the destination with a TTL of 1. The UDP port is unimportant as long as it’s not being used by the destination. Cisco routers pick a default port of 33434. When the packet hits the first router, it is returned. The host from which the packet was returned (the source address of the returned packet) is the first gateway between your router and the destination. trace then sends out a second packet with a TTL of 2. This packet will make it to the second router along the path to the destination, which then returns it. This router is the second gateway in our trace. This process is repeated until the destination is reached and a “port unreachable” message is returned. Figure 14-2 shows this process.