traceroute gives only stars + how to fix

linux networking ping traceroute

97,725

Solution 1

I found that traceroute -I gave me more complete results.

-I, --icmp
      Use ICMP ECHO for probes

Solution 2

The asterisks you're seeing are servers that your packets are being routed through whom are timing out (5.0+ seconds) and so traceroute defaults to printing the *.

NOTE: There's even a warning about this in the traceroute man page.

excerpt

In the modern network environment the traditional traceroute methods can not be always applicable, because of widespread use of firewalls. Such firewalls filter the "unlikely" UDP ports, or even ICMP echoes. To solve this, some additional tracerouting methods are implemented (including tcp), see LIST OF AVAILABLE METHODS below. Such methods try to use particular protocol and source/destination port, in order to bypass firewalls (to be seen by firewalls just as a start of allowed type of a network session).

Most firewalls block traffic outbound on ports other than TCP/80 which is the default IP port for web traffic. traceroute in Linux default use UDP, ping use ICMP, so as your output, it seems that ICMP packets are allowed in your firewall whereas UDP packets are blocked by the firewall.

You can see responses to my question titled: traceroute and ping from school network.

EDIT #1

As per the comments, if this is working in another RHEL machine and not working in this RHEL machine, I would suggest doing the below steps.

From the working RHEL machine (machine A), copy the /etc/sysconfig/iptables file. In the faulty RHEL machine (machine B), copy the original /etc/sysconfig/iptables file to something like /etc/sysconfig/iptables.original.

$ cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original

This step is just to ensure that if something goes wrong with our setting, we can revert back to the original. Now, copy the /etc/sysconfig/iptables from the machine A to machine B.

Solution 3

Either the machine you are running the tests from or your local gateway (router) is blocking UDP or ICMP. Make sure these are allowed in your firewall / NAT rule configuration.

97,725

Rui F Ribeiro

Updated on September 18, 2022

Comments

Rui F Ribeiro over 1 year
When I do:
```
  $ traceroute 8.8.8.8
```
I get in the output showing only stars, even though pinging to google.com ( 8.8.8.8) appears to be working.
1. What do I need to fix in my files/conf in order to solve this issue?
2. what I need to check?
Ping command output
```
    $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=73.4 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=69.6 ms
```
traceroute command output
```
 $ traceroute 8.8.8.8
 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
 10  * * *
 11  * * *
 12  * * *
 13  * * *
  14  * * *
 15  * * *
 16  * * *
 17  * * *
 18  * * *
 19  * * *
 20  * * *
 21  * * *
 22  * * *
 23  * * *
 24  * * *
 25  * * *
 26  * * *
 27  * * *
 28  * * *
 29  * * *
 30  * * *
```
- Admin about 10 years
  
  This is usually specific to the local network you're connected to but you might want to check your firewall and/or try with a disabled local firewall.
- Admin about 10 years
  
  is it posible to make a deep verification from my linux machine ? ( by linux commands ) in order to understand the problem -- please help
- Admin about 10 years
  
  @Eytan, please see the updated answer. I have mentioned the configuration files that needs to be changed.
- Admin about 10 years
  
  hi the configuration are the same on both machines , the machines are the same , so what next , what I need to check?
- Admin over 5 years
  
  i can't even traceroute to localhost, how strange
- Admin over 4 years
  
  The stars disappeared when I disabled my firewall with iptables -F. It is due to my firewall configuration blocking everything not going through my VPN and I just wanted to traceroute an IP address that I allowed to bypass VPN with route and iptables commands.
Admin about 10 years

so the stars are a bad sign? - they indicate about problem ?
Admin about 10 years

but if they block by the Firewall so I have problem -
Admin about 10 years

but how to know if the problem in my linux machine / or maybe the problem is some external isshue?
Admin about 10 years

this machine is in the network I have some other machine but the output on the other machine is diff ( not all stars )
Admin about 10 years

did you mean about the linux firewall ? or other firewall ?
Admin about 10 years

so how you explain if some machine are ok and some othe rmachine in the smae network have bad results ( stars )
Admin about 10 years

no all machines are red-hat exepet one unbuntu machine ( all them are VM machine ) , not understand why some of them are ok and some of them get bad results from traceroute
Anthon about 10 years

A bit more detail on how to do that would be helpful.
Admin about 10 years

please advice about the commands that need to run on my linux machine in order to check the firewall / NAT as you explained
Admin about 10 years

hi again the file iptables is the same on both machine ( the good one have the same file as the faulty one )
Ramesh about 10 years

I believe both these machines might be forwarding the packets to some other machine and so in that machine it is possible that the packets from machine B is blocked. I suggest you to open another question with the /etc/sysconfig/iptables rules in the question which will help people debug the issue.
Rui F Ribeiro over 5 years

ICMP per se is not being entirely blocked as the OP is doing pings.
Pedro Lobito about 4 years

I get connect: Operation not supported
killjoy over 2 years

This requires root privileges.
2pha about 2 years

-T to use TCP port 80 did it for me. eg traceroute -T google.com