Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The immediate next router or device a packet is forwarded to on its way to the destination - looked up in the routing table at each Layer 3 hop, not the final endpoint.
Next Hop Definition: The immediate next router or device a packet is forwarded to on its way to the destination - looked up in the routing table at each Layer 3 hop, not the final endpoint.
Next hop is the immediate next Layer 3 device - usually a router - to which a packet is forwarded on its way toward its final destination. It is not the endpoint but the next step in the path. Each router along the route independently determines its own next hop, moving the packet one hop closer to where it needs to go.
When a router receives a packet, it looks up the destination IP in its routing table and finds the matching route, which specifies the next-hop IP address and the outgoing interface. The router then resolves that next-hop IP to a Layer 2 (MAC) address - via ARP on Ethernet - and forwards the frame to that device. The destination IP stays constant end to end, while the next-hop and the source/destination MAC addresses change at every hop. Routes can be directly connected, statically configured, or learned dynamically through protocols like OSPF or BGP.
Next hop matters for both correctness and security. Because forwarding is hop-by-hop and each router trusts its routing table, a poisoned or hijacked route that changes the next hop can silently redirect traffic to an attacker for interception (a man-in-the-middle attack) or drop it entirely (a black hole). This is the basis of route-hijacking and ARP-spoofing attacks, and why route authentication, filtering, and integrity controls are essential. Understanding next hop is also fundamental to troubleshooting reachability with tools like traceroute.
For example, a host sends a packet to a server several networks away. Its default gateway router consults its routing table, sees the destination is reachable via a neighboring router at 192.168.1.1, resolves that next-hop's MAC, and forwards the frame there. That router repeats the process with its own next hop. A traceroute reveals this chain of next hops; if an attacker injects a bogus route, the next hop shifts to a rogue device and traffic is quietly diverted.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →