TCPTRACEROUTE(8)            System Manager's Manual           TCPTRACEROUTE(8)

       tcptraceroute - A traceroute implementation using TCP packets

       tcptraceroute [-nNFSAE] [ -i interface ] [ -f first ttl ]
       [ -l length ] [ -q number of queries ] [ -t tos ]
       [ -m max ttl ] [ -p source port ] [ -s source address ]
       [ -w wait time ] host [ destination port ] [ length ]

       tcptraceroute is a traceroute implementation using TCP packets.

       The more traditional traceroute(8) sends out either UDP or ICMP ECHO
       packets with a TTL of one, and increments the TTL until the destination
       has been reached.  By printing the gateways that generate ICMP time
       exceeded messages along the way, it is able to determine the path
       packets are taking to reach the destination.

       The problem is that with the widespread use of firewalls on the modern
       Internet, many of the packets that traceroute(8) sends out end up being
       filtered, making it impossible to completely trace the path to the
       destination.  However, in many cases, these firewalls will permit
       inbound TCP packets to specific ports that hosts sitting behind the
       firewall are listening for connections on.  By sending out TCP SYN
       packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to
       bypass the most common firewall filters.

       It is worth noting that tcptraceroute never completely establishes a
       TCP connection with the destination host.  If the host is not listening
       for incoming connections, it will respond with an RST indicating that
       the port is closed.  If the host instead responds with a SYN|ACK, the
       port is known to be open, and an RST is sent by the kernel
       tcptraceroute is running on to tear down the connection without
       completing three-way handshake.  This is the same half-open scanning
       technique that nmap(1) uses when passed the -sS flag.

       -n     Display numeric output, rather than doing a reverse DNS lookup
              for each hop.  By default, reverse lookups are never attempted
              on RFC1918 address space, regardless of the -n flag.

       -N     Perform a reverse DNS lookup for each hop, including RFC1918

       -f     Set the initial TTL used in the first outgoing packet.  The
              default is 1.

       -m     Set the maximum TTL used in outgoing packets.  The default is

       -p     Use the specified local TCP port in outgoing packets.  The
              default is to obtain a free port from the kernel using bind(2).
              Unlike with traditional traceroute(8), this number will not
              increase with each hop.

       -s     Set the source address for outgoing packets.  See also the -i

       -i     Use the specified interface for outgoing packets.

       -q     Set the number of probes to be sent to each hop.  The default is

       -w     Set the timeout, in seconds, to wait for a response for each
              probe.  The default is 3.

       -S     Set the TCP SYN flag in outgoing packets.  This is the default,
              if neither -S or -A is specified.

       -A     Set the TCP ACK flag in outgoing packets.  By doing so, it is
              possible to trace through stateless firewalls which permit
              outgoing TCP connections.

       -E     Send ECN SYN packets, as described in RFC2481.

       -t     Set the IP TOS (type of service) to be used in outgoing packets.
              The default is not to set any TOS.

       -F     Set the IP "don't fragment" bit in outgoing packets.

       -l     Set the total packet length to be used in outgoing packets.  If
              the length is greater than the minimum size required to assemble
              the necessary probe packet headers, this value is automatically

       -d     Enable debugging, which may or may not be useful.

       Please see the examples.txt file included in the tcptraceroute
       distribution for a few real world examples.

       To trace the path to a web server listening for connections on port 80:

              tcptraceroute webserver

       To trace the path to a mail server listening for connections on port

              tcptraceroute mailserver 25

       No error checking is performed on the source address specified by the
       -s flag, and it is therefore possible for tcptraceroute to send out TCP
       SYN packets for which it has no chance of seeing a response to.

       Michael C. Toren <>

       For updates, please see:

       traceroute(8), ping(8), nmap(1)

                                 2001 July 31                 TCPTRACEROUTE(8)