Layer four traceroute

Layer Four Traceroute (LFT) is a fast, multi-protocol traceroute engine, that also implements numerous other features including AS number lookups through regional Internet registries and other reliable sources, Loose Source Routing, firewall and load balancer detection, etc. LFT is best known for its use by network security practitioners to trace a route to a destination host through many configurations of packet-filters / firewalls, and to detect network connectivity, performance or latency problems.

How it worksEdit

LFT sends various TCP SYN and FIN probes (differing from Van Jacobson's UDP-based method) or UDP probes utilizing the IP protocol time to live field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host. LFT also listens for various TCP, UDP, and ICMP messages along the way to assist network managers in ascertaining per-protocol heuristic routing information, and can optionally retrieve various information about the networks it traverses. The operation of layer four traceroute is described in detail in several prominent security books.[1][2]


The lft command first appeared in 1998 as fft. Renamed as a result of confusion with fast Fourier transforms, lft stands for layer four traceroute. Results are often referred to as a layer four trace.

See alsoEdit


  1. ^ Extreme Exploits: Advanced Defenses Against Hardcore Hacks (2005) McGraw-Hill ISBN 0-07-225955-8
  2. ^ The Tao of Network Security Monitoring (2004) Addison-Wesley ISBN 0-321-24677-2

External linksEdit