Network Path traceroute variants

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Network Path for Datadog Cloud Network Monitoring is not supported for your selected Datadog site ().

Most modern operating systems include a built-in traceroute tool. For example, Linux and macOS use the traceroute command, while Windows uses tracert. However, you may observe different results from these commands even when run on the same network. This article explains the reasons behind these differences.

Traceroute variants by platform

All traceroute tools fundamentally perform the same process: they send packets with a progressively increasing TTL (also known as hop limit), to get information about each hop along the route. However, they differ in what type of packet they send. There are three major protocols for traceroutes: ICMP, UDP, and TCP. Linux and macOS traceroute use UDP by default, while Windows tracert uses ICMP.

    VariantDatadog SupportEquivalent Traceroute
    ICMPtraceroute -I
    UDPtraceroute
    TCP SYNtcptraceroute
    TCP SACKThird-party tools

    Typically traceroute and tcptraceroute are made available by official package maintainers, but only traceroute is installed by default.

    VariantDatadog SupportEquivalent Traceroute
    ICMPtracert
    UDPThird-party tools
    TCP SYNThird-party tools
    TCP SACKN/A

    Windows does not have officially distributed TCP or UDP traceroute tools. Third-party solutions like nmap and tracetcp exist however.

    VariantDatadog SupportEquivalent Traceroute
    ICMPtraceroute -I
    UDPtraceroute
    TCP SYNtcptraceroute` (via homebrew)
    TCP SACKN/A

    Firewall impact on traceroute variants

    Firewalls are a key factor in choosing which traceroute variant to use. For example, a network might block all UDP packets except DNS requests, or an HTTP server could be configured to reject all incoming traffic (including ICMP and UDP), allowing only TCP connections on port 443.

    Using TCP-based traceroutes can be more effective because they match the protocol of normal application traffic, increasing the likelihood that firewalls will allow the packets through.

    TCP SACK traceroutes

    While TCP SYN (synchronize) traceroutes are useful, they can be blocked by firewalls in some cases. Because they initiate half-open connections, they may be misinterpreted as SYN floods or port scans. In contrast, SACK (Selective Acknowledgement) traceroutes operate after a full TCP connection is established. They use selective acknowledgement to prompt the target to acknowledge packets without requiring actual data transmission.

    SACK traceroutes do send packets with data, but they introduce a deliberate gap that triggers Head-of-line blocking, preventing the data from reaching the application layer.

    Datadog currently supports TCP SACK traceroutes on Linux only.

    ICMP traceroutes

    All traceroutes rely on “ICMP TTL Exceeded” (Internet Control Message Protocol Time to Live) packets to build a network path. This often causes confusion regarding what defines an ICMP traceroute, since all traceroute variants receive ICMP responses. The key difference lies in what packets the traceroute is sending, not receiving.

    An ICMP traceroute specifically sends ICMP Echo Request packets, the same type used by the ping command. If a packet’s TTL (Time to Live) is too low, a router along the path responds with an ICMP Time Exceeded message. At the final hop, the Echo Request reaches the destination, which replies with an ICMP Echo Response.

    Further Reading

    추가 유용한 문서, 링크 및 기사:

    Get end-to-end network visibility with Datadog Network PathBLOG more more