CertTools Logo
CertTools

traceroute & mtr Commands

Network path analysis tools for diagnosing connectivity issues, routing problems, and latency bottlenecks affecting SSL/TLS connections.

← Back to All References

traceroute - Basic Path Tracing

Basic traceroute

Trace the route packets take to reach a destination:

traceroute example.com

HTTPS port tracing

Trace route to HTTPS port (TCP SYN):

traceroute -T -p 443 example.com

Set maximum hops

Limit the maximum number of hops to check:

traceroute -m 20 example.com

Disable DNS resolution

Show only IP addresses (faster):

traceroute -n example.com

traceroute - Advanced Options

Set number of queries per hop

Send multiple probes per hop for better accuracy:

traceroute -q 5 example.com

Set wait time

Set timeout for each probe (in seconds):

traceroute -w 3 example.com

Use ICMP ECHO

Use ICMP ECHO instead of UDP (may require root):

sudo traceroute -I example.com

Specify source interface

Set the network interface to use:

traceroute -i eth0 example.com

mtr - Combined traceroute and ping

Basic mtr

Interactive network diagnostic tool (combines traceroute + ping):

mtr example.com

Report mode

Generate a report after 10 cycles:

mtr --report example.com

Set report cycle count

Specify number of pings per hop:

mtr --report --report-cycles 100 example.com

No DNS resolution

Show only IP addresses (faster):

mtr --no-dns example.com

mtr - Advanced Options

TCP mode on HTTPS port

Test path to HTTPS service:

mtr --tcp --port 443 example.com

CSV output

Export results in CSV format for analysis:

mtr --csv --report --report-cycles 100 example.com

JSON output

Export results in JSON format:

mtr --json --report --report-cycles 50 example.com

Set packet size

Specify packet size in bytes:

mtr --psize 1400 example.com

Set interval between packets

Specify interval in seconds (default is 1):

mtr --interval 0.5 example.com

SSL/TLS Connection Diagnostics

Diagnose HTTPS connectivity

Trace TCP path to HTTPS port:

traceroute -T -p 443 -n example.com

Monitor HTTPS latency

Continuous monitoring of HTTPS endpoint:

mtr --tcp --port 443 --report-cycles 100 example.com

Check CDN routing

See which CDN node you're reaching:

mtr --report --report-cycles 10 cdn.example.com
# Check last hop to identify CDN POP location

Identify packet loss

Find where packets are being dropped:

mtr --report --report-cycles 200 example.com
# Look for Loss% column - high loss indicates problems

Certificate Authority Connectivity

Trace to ACME CA

Check connectivity to Let's Encrypt:

mtr --tcp --port 443 acme-v02.api.letsencrypt.org

Check OCSP responder path

Verify routing to OCSP service:

traceroute -T -p 80 ocsp.digicert.com

Monitor CRL distribution point

Check connectivity to CRL server:

mtr --tcp --port 80 crl.example.com

Troubleshooting Common Issues

Identify routing loops

Look for repeating IP addresses in traceroute:

traceroute -m 30 example.com
# Watch for same IPs appearing multiple times

Check for asymmetric routing

Compare outbound and return paths:

# Outbound path
traceroute example.com

# Return path (if server accessible)
# ssh to remote server and run:
traceroute your.local.ip

Detect MTU issues

Find path MTU problems:

# Test with large packet
mtr --psize 1472 example.com

# If fragmentation needed, reduce size
mtr --psize 1400 example.com

Identify firewall blocking

Check if specific hops are blocking probes:

# Try different protocols
traceroute -I example.com  # ICMP
traceroute -T -p 443 example.com  # TCP
traceroute -U example.com  # UDP (default)

Automated Monitoring Scripts

Continuous path monitoring

Monitor path changes over time:

#!/bin/bash
# Save to path-monitor.sh
TARGET="example.com"
LOG="path_log_$(date +%Y%m%d).txt"

while true; do
  echo "=== $(date) ===" >> "$LOG"
  mtr --report --report-cycles 10 --no-dns "$TARGET" >> "$LOG"
  sleep 300  # Check every 5 minutes
done

Alert on latency increase

Monitor for latency spikes:

#!/bin/bash
TARGET="example.com"
THRESHOLD=100  # milliseconds

AVG_RTT=$(mtr --report --report-cycles 10 --json "$TARGET" | \
  jq '.report.hubs[-1].Avg' | cut -d. -f1)

if [ "$AVG_RTT" -gt "$THRESHOLD" ]; then
  echo "Alert: High latency detected: ${AVG_RTT}ms"
  # Send notification here
fi

Multi-target comparison

Compare routes to multiple targets:

#!/bin/bash
TARGETS=("primary.example.com" "backup.example.com" "cdn.example.com")

for target in "${TARGETS[@]}"; do
  echo "Testing: $target"
  mtr --report --report-cycles 10 "$target"
  echo ""
done

See Also

tcpdump Commands
Packet capture and analysis
nmap Commands
Port scanning and service detection
netcat Commands
Network connectivity testing

Important Notes

Requires Privileges:

Some traceroute modes (ICMP) and mtr may require root/sudo privileges.

ICMP Filtering:

Many firewalls and routers block or rate-limit ICMP, causing * * * in results. This doesn't always indicate a problem - try TCP mode (-T) instead.

Asymmetric Routing:

Outbound and return paths may differ significantly. traceroute only shows outbound path.

mtr vs traceroute:

mtr combines traceroute with continuous ping, providing better statistics. Use mtr for ongoing monitoring, traceroute for quick checks.

Interpretation:

Look for: (1) Packet loss at specific hops, (2) Sudden latency increases, (3) Routing loops (repeated IPs), (4) Different paths on subsequent runs.

Privacy:

traceroute/mtr reveal network topology and infrastructure details. Some organizations may restrict use on production networks.

Platform Differences:

Linux uses traceroute, macOS/BSD use traceroute, Windows uses tracert with different syntax. mtr is available on all platforms but may need installation.