How Does TCP Trace work on Windows

Question

How does a TCP Trace work?

Answer 1

A TCP trace works in much the same way as a more traditional trace, except that instead of sending out ICMP ECHO or UDP packets (which are often blocked by firewalls and load balancers) with an increasing TTL (time-to-live) in each subsequent batch of packets, it sends out TCP SYN packets, again with an ever-increasing TTL until a response is received from the destination. In this way, the responses of each subsequent error packet received from the router at each hop can be timed from the time each packet was sent until the corresponding response was received. Additional information (such as a sampling of distinct load-balanced destinations) can be extracted due to return packets originating from different ip addresses for identical TTLs.

Answer 2

If you're talking about Traceroute (tracert), it works by sending packets with extremely short TTL values.

The first packet has a TTL of 1; when it gets to the first router, the router kills the packet, and sends a message back saying "this is me, and your packet died here".

The next packet goes with a TTL of 2, and so on until the target host is hit, or the max number of hops (30 by default on Windows) is hit.

Edit: Wikipedia entry on tracert.

Answer 3

Applications like 'tracert' and others that use protocols other than ICMP work be sending out multiple packets, each time increasing the TTL (time-to-live) by one. (Some firewalls block all ICMP packets making tracert and ping unusable.)

When a network device such as a router receives a packet it decrements the TTL by 1, if it reaches zero then it sends back an ICMP "host unreachable' along with the IP address of the device that removed the packet from the network. Thus you get a breadcrumb trail of the path your packets are taking across the network.

If instead of traceroute, you meant TCPTrace, then this looks very similar to a SSH tunnel but I'm not familiar with this specific application.