There are lots of good explanations on how traceroute works using TTL.
What I don't understand is how the traceroute gets router information on each step.
For example, say there is a simple network as below and traceroutes from Computer A(CA) to Computer B(CB):
COMPUTER A(CA) ---- ROUTER A(RA) ---- ROUTER B(RB) ---- COMPUTER B(CB)
When a TTL expires at RB, how does CA know about RB's IP address?
On each hop, does the router change source/destination address of the datagram?
RB is going to send back (to CA) an ICMP time expired message, which will contain RB's IP address. Although it wasn't part of your question, CA can often use reverse DNS to find RB's name.
"Time expired" really means the number of IP "hops" set in the outbound ICMP message has been exceeded.
Edited to add: The source address of CA's messages is always CA, and the destination address is always CB. CA does not know the addresses of the routers along the way unless by discovering them using something like traceroute.
CA first sends an ICMP echo (ping) datagram with a destination address of CB and a TTL of one. RA receives that datagram, decrements the TTL, which becomes zero. RA sends an ICMP time expired message to CA; a part of that message is RA's IP address, so CA now knows the address of the first hop.
CA then sends another ping, still addressed to CB, but with a TTL of two. RA will decrement the TTL and send it onward to RB. RB decrements, finds zero, and sends ICMP time expired back to CA, so CA finds the address of the second hop.
CA would then send a third, fourth, etc. datagram, all addressed to CB, each with the TTL increased by one until CB answers.
