A looking glass is a web-based diagnostic tool that lets anyone query your network's routing tables and run traceroutes from your perspective. Learn what it does, why networks use them, and how to set one up yourself.
Publish date: 2/23/2026
If you've ever wondered how data travels across the internet or tried to troubleshoot network connectivity issues, you've probably wished you could see the route your packets take from different vantage points around the world. That's exactly what a looking glass lets you do.
A looking glass is a web-based tool that allows anyone to run network diagnostic commands like ping, traceroute, and BGP route queries directly from a network operator's infrastructure. Instead of testing connectivity from your own computer, you can see how things look from a data center in Tokyo, London, or anywhere else that hosts a looking glass server.
For network operators, hosting a looking glass shows what an end user could expect from your network, and helps troubleshoot connectivity issues. For everyone else, it's an incredibly useful diagnostic tool that provides insights into internet routing you simply can't get any other way.
In this guide, we'll explain what a looking glass is, why they're useful, and walk you through hosting your own.
At its core, a looking glass is a web interface that exposes read-only access to network diagnostic tools running on a server. Think of it as a window into a network's routing infrastructure.
When you visit a looking glass, you can typically perform several types of queries:
BGP route lookups show you how a specific IP prefix is advertised and what autonomous system (AS) path it takes through the internet. This is particularly useful for diagnosing routing issues or understanding peering relationships.
Traceroute reveals the path packets take from the looking glass server to a destination IP address, showing each hop along the way with latency measurements.
Ping tests check basic connectivity and measure round-trip time to a destination.
Some looking glasses also support additional queries like checking specific BGP communities, viewing the full BGP routing table summary, or running MTR (My Traceroute) which combines traceroute with continuous monitoring.
The key distinction is that all these commands run from the network operator's infrastructure, not your local machine. This gives you a completely different perspective on network topology and routing behavior.
Network operators host looking glasses for several practical reasons, though the primary motivation is usually customer support and transparency.
When a customer reports connectivity issues to a specific destination, support teams can use their own looking glass to verify routing and diagnose problems. Instead of asking customers to run commands and paste results, technicians can see exactly what's happening from the network's perspective in real-time.
Looking glasses also demonstrate routing policies and peering relationships. If you're evaluating a hosting provider or transit provider, their looking glass shows you concrete data about their network connectivity rather than just marketing claims. You can see which networks they peer with, what paths your traffic would take, and verify their presence in specific regions.
For networks with multiple points of presence (PoPs) around the world, looking glasses at each location help demonstrate their global reach and let potential customers test connectivity from regions they care about.
From a technical standpoint, looking glasses are relatively simple to implement and operate. The computational overhead is minimal since they're just executing standard networking commands that are already available on the server. The main considerations are security (preventing abuse) and rate limiting to avoid overload.
The technical implementation of a looking glass is straightforward. At the most basic level, it's a web application that accepts user input (like an IP address or domain), validates it, constructs a shell command with that input, executes it on the server, and returns the output formatted for display in a browser.
For security, proper input validation is critical. Since the looking glass executes system commands based on user input, it needs to sanitize everything to prevent command injection attacks. Most implementations use strict whitelisting of allowed characters and patterns, ensuring that only valid IP addresses, CIDR blocks, or domain names get processed.
Modern looking glass software typically runs commands with limited privileges and may use containerization or sandboxing to isolate the execution environment from the rest of the system. Rate limiting prevents abuse by restricting how many queries a single IP address can make within a given timeframe.
The web interface itself is usually quite minimal, consisting of a form to select the query type and enter the target, with results displayed in a preformatted text block that preserves the command-line output format. Some implementations offer additional features like query history, multiple server selection for networks with many locations, or API endpoints for programmatic access.
Under the hood, the application interfaces with the system's routing daemon (like BIRD, FRRouting, or Quagga) to query BGP information, and uses standard tools like ping and traceroute for connectivity tests.
Setting up a looking glass is relatively simple. We'll walk you through the process using LookingGlass, one of the most popular open-source implementations.
Before you begin, you'll need a server with:
For testing BGP features, you'll need a system that's actually running BGP and has routing tables to query. For basic ping and traceroute functionality, any internet-connected server works fine.
First, install the necessary dependencies. On Debian or Ubuntu:
sudo apt update
sudo apt install nginx php-fpm php-cli git traceroute mtr-tiny
On RHEL-based systems like AlmaLinux or Rocky Linux:
sudo dnf install nginx php php-fpm git traceroute mtr
Clone the LookingGlass repository to your web root:
cd /var/www
sudo git clone https://github.com/telephone/LookingGlass.git
sudo chown -R www-data:www-data LookingGlass
Create an NGINX server block for the looking glass. Create a new file at /etc/nginx/sites-available/lookingglass:
server {
listen 80;
server_name lg.example.com;
root /var/www/LookingGlass;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
}
}
Enable the site and restart NGINX:
sudo ln -s /etc/nginx/sites-available/lookingglass /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
For production use, you should absolutely set up HTTPS. You can get a free certificate using Let's Encrypt with Certbot.
Copy the example configuration file and edit it:
cd /var/www/LookingGlass
sudo cp LookingGlass/Config.php.example LookingGlass/Config.php
sudo nano LookingGlass/Config.php
The configuration file lets you customize various aspects of your looking glass. Key settings include:
rateLimit controls how many requests a user can make in a specific timeframe. The default is usually reasonable, but adjust based on your server's capacity and tolerance for abuse.
forbiddenNetworks lets you specify networks that shouldn't be queried, like private IP ranges or your internal management networks.
location and facility let you specify where this looking glass is hosted geographically.
customFooter can be used to add contact information or links to your main website.
If you're running BGP and want to expose routing information, you'll need to configure access to your BGP daemon. For BIRD, this typically means ensuring the BIRD socket is accessible to the web server user with appropriate permissions.
Never run your looking glass with excessive privileges. The web server user should only have access to the specific commands it needs to execute.
Implement strict input validation beyond what the software provides by default. Consider adding a Web Application Firewall (WAF) or using Fail2Ban to protect against brute force attacks and abuse.
Set up rate limiting at both the application level and potentially at your web server or firewall level. This prevents a single user from overwhelming your system with queries.
Consider implementing a CAPTCHA or similar challenge for excessive usage to discourage automated abuse while still allowing legitimate users to access your looking glass.
Regularly update the looking glass software and all dependencies to patch any security vulnerabilities that may be discovered.
Once everything is configured, visit your looking glass URL in a web browser. You should see a clean interface with options to select query types and enter targets.
Test basic functionality by running a traceroute to a well-known public IP address like 8.8.8.8 or 1.1.1.1. The results should display in your browser showing each hop along the path.
Try a ping test to verify connectivity checks work as expected.
If you've configured BGP access, test a route lookup for a common prefix to ensure the integration with your routing daemon is working correctly.
Check that rate limiting is functioning by making several rapid queries and verifying that you eventually get blocked temporarily.
While we used LookingGlass in this guide, several other implementations exist with different features and approaches.
ALICE Looking Glass is a modern PHP-based looking glass with a focus on simplicity and clean design. It supports multiple routers and includes built-in rate limiting.
Bird's Eye is specifically designed for networks running BIRD and offers extensive BGP query capabilities along with a RESTful API for programmatic access.
Hybula's Looking Glass is a a modern looking glass based on Bootstrap 5 and PHP 8.
bgp.tools isn't self-hosted software, but rather a comprehensive looking glass aggregator that lets you query multiple networks' looking glasses from a single interface. It's worth mentioning because it demonstrates how useful these tools are when combined.
The choice of looking glass software mostly depends on your specific needs. If you're running BGP and want extensive routing information exposure, Bird's Eye or ALICE might be better choices. For simple traceroute and ping functionality, the basic LookingGlass implementation we covered is perfectly adequate.
Network troubleshooting is the most obvious use case. When users report connectivity issues, you can use multiple looking glasses to see if the problem is isolated to a specific region or affects multiple paths. By comparing routes from different locations, you can identify where packets are getting dropped or taking suboptimal paths.
Service providers often use looking glasses to verify peering relationships and routing policies. If you're negotiating peering with another network, you can use their looking glass to see how they currently route traffic and verify that announced prefixes are being received as expected.
Security researchers use looking glasses to investigate network hijacking incidents and BGP anomalies. When suspicious routing changes occur, looking glasses provide historical data and multiple vantage points to understand what happened.
Systems administrators use looking glasses to verify that changes to routing policies or network configurations are propagating correctly across the internet. After announcing new IP space or modifying BGP communities, you can check multiple looking glasses to confirm everything is working as intended.
Website operators concerned about latency can use looking glasses to understand how traffic routes to their servers from different regions, helping inform decisions about where to deploy additional infrastructure or content delivery nodes.
A looking glass focuses on routing and network path information, showing you how packets travel through the internet. A speedtest measures bandwidth and latency for data transfers. Looking glasses run diagnostic commands like traceroute and BGP queries, while speedtests actually transfer data to measure throughput. Both are useful, but for different purposes.
Not really. A looking glass can verify that the IP address is reachable and show the network path, but it can't test if your web service is actually responding correctly. For that, you'd want uptime monitoring tools like Uptime Kuma. However, if your website is unreachable, a looking glass can help diagnose whether it's a routing issue or something else.
Network operators often restrict queries to private IP ranges, certain geographic regions, or specific command types for security and abuse prevention. Some looking glasses might not expose full BGP routing tables if they contain sensitive business information about peering relationships. Rate limiting and query restrictions prevent malicious users from using the looking glass for network reconnaissance or DDoS amplification.
No, you can host a basic looking glass that only offers ping and traceroute functionality without any BGP involvement. However, BGP route queries are one of the most valuable features of a looking glass, so if you're running a network with BGP peering, including that functionality makes your looking glass much more useful.
Absolutely. While modern monitoring tools provide extensive internal metrics, looking glasses offer an external perspective that's incredibly valuable for diagnosing routing issues, verifying internet connectivity from different locations, and understanding how your network appears to the outside world. They complement rather than replace other monitoring solutions.
A looking glass is one of those tools that might seem niche until you need it, and then you'll wonder how you ever managed without one. Whether you're troubleshooting connectivity issues, verifying routing policies, or just curious about how internet traffic flows, having access to multiple looking glasses across different networks provides insights you simply can't get any other way.
For network operators, hosting a looking glass demonstrates transparency and provides a valuable self-service diagnostic tool for customers. The setup process is straightforward, and the maintenance overhead is minimal once everything is configured properly.
If you're running any kind of network infrastructure, consider setting up a looking glass. It's a relatively small investment of time that pays dividends in troubleshooting efficiency and customer satisfaction.
xTom provides enterprise-grade dedicated servers, colocation services, and IP transit with looking glasses available at each of our global points of presence. V.PS offers scalable, production-ready NVMe-powered VPS hosting perfect for hosting your own looking glass or any other network tools you need. We also offer shared hosting and general IT services tailored to your infrastructure requirements.
Ready to discuss your infrastructure needs? Contact our team to explore the right solution for your projects.