Network Path traceroute variants
Network Path for Datadog Cloud Network Monitoring is not supported for your selected
Datadog site (
).
Most modern operating systems include a built-in traceroute tool. For example, Linux and macOS use the traceroute command, while Windows uses tracert. However, you may observe different results from these commands even when run on the same network. This article explains the reasons behind these differences.
All traceroute tools fundamentally perform the same process: they send packets with a progressively increasing TTL (also known as hop limit), to get information about each hop along the route. However, they differ in what type of packet they send. There are three major protocols for traceroutes: ICMP, UDP, and TCP. Linux and macOS traceroute use UDP by default, while Windows tracert uses ICMP.
| Variant | Datadog Support | Equivalent Traceroute | | ICMP | | traceroute -I |
| UDP | | traceroute |
| TCP SYN | | tcptraceroute |
| TCP SACK | | Third-party tools |
Typically traceroute and tcptraceroute are made available by official package maintainers, but only traceroute is installed by default.
| Variant | Datadog Support | Equivalent Traceroute | | ICMP | | tracert |
| UDP | | Third-party tools |
| TCP SYN | | Third-party tools |
| TCP SACK | | N/A |
Windows does not have officially distributed TCP or UDP traceroute tools. Third-party solutions like nmap and tracetcp exist however.
| Variant | Datadog Support | Equivalent Traceroute | | ICMP | | traceroute -I |
| UDP | | traceroute |
| TCP SYN | | tcptraceroute` (via homebrew) |
| TCP SACK | | N/A |
Firewall impact on traceroute variants
Firewalls are a key factor in choosing which traceroute variant to use. For example, a network might block all UDP packets except DNS requests, or an HTTP server could be configured to reject all incoming traffic (including ICMP and UDP), allowing only TCP connections on port 443.
Using TCP-based traceroutes can be more effective because they match the protocol of normal application traffic, increasing the likelihood that firewalls will allow the packets through.
TCP SACK traceroutes
While TCP SYN (synchronize) traceroutes are useful, they can be blocked by firewalls in some cases. Because they initiate half-open connections, they may be misinterpreted as SYN floods or port scans. In contrast, SACK (Selective Acknowledgement) traceroutes operate after a full TCP connection is established. They use selective acknowledgement to prompt the target to acknowledge packets without requiring actual data transmission.
SACK traceroutes do send packets with data, but they introduce a deliberate gap that triggers Head-of-line blocking, preventing the data from reaching the application layer.
Datadog currently supports TCP SACK traceroutes on Linux only.
ICMP traceroutes
All traceroutes rely on “ICMP TTL Exceeded” (Internet Control Message Protocol Time to Live) packets to build a network path. This often causes confusion regarding what defines an ICMP traceroute, since all traceroute variants receive ICMP responses. The key difference lies in what packets the traceroute is sending, not receiving.
An ICMP traceroute specifically sends ICMP Echo Request packets, the same type used by the ping command. If a packet’s TTL (Time to Live) is too low, a router along the path responds with an ICMP Time Exceeded message. At the final hop, the Echo Request reaches the destination, which replies with an ICMP Echo Response.
Further Reading
Additional helpful documentation, links, and articles:
