Firewalls and routers do not treat every traceroute probe method the same way. Linux traceroute uses UDP probes by default, while ping uses ICMP echo, so a route that looks blocked with the default method may look different when the trace follows the same packet family as a ping test.
The -I option selects ICMP echo probes for traceroute. Use it when ping succeeds, when default UDP traceroute stops at a firewall, or when a ticket needs to show whether ICMP diagnostic traffic follows a different visible path. It does not prove that HTTPS, SSH, or another application protocol works on the same path.
Run the ICMP trace and the default trace from the same source host during the same symptom window. Compare the destination row first, then read middle-hop timeouts in context because routers can rate-limit or ignore diagnostic replies while forwarding other traffic.
Related: How to interpret traceroute timeout hops
Related: How to use TCP probes with traceroute
Tool: Traceroute Hops Analyzer
Steps to use ICMP probes with traceroute:
- Choose the authorized target for the comparison.
Run route probes only against networks, hosts, or services where diagnostic testing is allowed.
- Confirm whether the target answers ICMP echo.
$ ping -c 2 example.com PING example.com (203.0.113.80) 56(84) bytes of data. 64 bytes from 203.0.113.80: icmp_seq=1 ttl=63 time=12.4 ms 64 bytes from 203.0.113.80: icmp_seq=2 ttl=63 time=12.4 ms --- example.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 12.118/12.369/12.620/0.251 ms
A failed ping does not make ICMP traceroute useless, but it means the destination may not answer the final echo probe.
- Run traceroute with ICMP echo probes.
$ traceroute -n -I -q 1 -w 2 -m 6 example.com traceroute to example.com (203.0.113.80), 6 hops max, 60 byte packets 1 192.0.2.1 0.118 ms 2 203.0.113.80 11.946 ms
-I selects ICMP echo probes, -n keeps addresses numeric, -q 1 sends one probe per hop for a compact comparison, -w 2 waits up to two seconds per probe, and -m 6 keeps the sample short.
- Run the default traceroute method from the same host.
$ traceroute -n -q 1 -w 2 -m 6 example.com traceroute to example.com (203.0.113.80), 6 hops max, 60 byte packets 1 192.0.2.1 0.038 ms 2 198.51.100.1 0.292 ms 3 * 4 198.51.100.2 4.749 ms 5 * 6 *
The default Linux method uses UDP probes to high destination ports. Firewalls often treat those probes differently from ICMP echo.
- Compare the destination rows before interpreting middle hops.
ICMP probe: destination answered at hop 2 Default probe: no destination reply within 6 hops Reading: ICMP echo is permitted on this path, while the default UDP probe result is incomplete
Paste both traces into the Traceroute Hops Analyzer when the rows need to be shared with a ticket or incident note. Use TCP probes against the service port when users report a web, mail, or SSH symptom and ICMP does not match the application traffic.
Related: How to use TCP probes with traceroute
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
