traceroute gives only stars + how to fix
Solution 1
I found that traceroute -I
gave me more complete results.
-I, --icmp
Use ICMP ECHO for probes
Solution 2
The asterisks you're seeing are servers that your packets are being routed through whom are timing out (5.0+ seconds) and so traceroute
defaults to printing the *.
NOTE: There's even a warning about this in the traceroute
man page.
excerpt
In the modern network environment the traditional traceroute methods can not be always applicable, because of widespread use of firewalls. Such firewalls filter the "unlikely" UDP ports, or even ICMP echoes. To solve this, some additional tracerouting methods are implemented (including tcp), see LIST OF AVAILABLE METHODS below. Such methods try to use particular protocol and source/destination port, in order to bypass firewalls (to be seen by firewalls just as a start of allowed type of a network session).
Most firewalls block traffic outbound on ports other than TCP/80 which is the default IP port for web traffic. traceroute
in Linux default use UDP
, ping use ICMP
, so as your output, it seems that ICMP
packets are allowed in your firewall whereas UDP
packets are blocked by the firewall.
You can see responses to my question titled: traceroute and ping from school network.
EDIT #1
As per the comments, if this is working in another RHEL machine and not working in this RHEL machine, I would suggest doing the below steps.
From the working RHEL machine (machine A), copy the /etc/sysconfig/iptables
file. In the faulty RHEL machine (machine B), copy the original /etc/sysconfig/iptables
file to something like /etc/sysconfig/iptables.original
.
$ cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original
This step is just to ensure that if something goes wrong with our setting, we can revert back to the original. Now, copy the /etc/sysconfig/iptables
from the machine A to machine B.
Solution 3
Either the machine you are running the tests from or your local gateway (router) is blocking UDP or ICMP. Make sure these are allowed in your firewall / NAT rule configuration.
Related videos on Youtube
Rui F Ribeiro
Updated on September 18, 2022Comments
-
Rui F Ribeiro over 1 year
When I do:
$ traceroute 8.8.8.8
I get in the output showing only stars, even though pinging to google.com ( 8.8.8.8) appears to be working.
- What do I need to fix in my files/conf in order to solve this issue?
- what I need to check?
Ping command output
$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=73.4 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=69.6 ms
traceroute command output
$ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
-
Admin about 10 yearsThis is usually specific to the local network you're connected to but you might want to check your firewall and/or try with a disabled local firewall.
-
Admin about 10 yearsis it posible to make a deep verification from my linux machine ? ( by linux commands ) in order to understand the problem -- please help
-
Admin about 10 years@Eytan, please see the updated answer. I have mentioned the configuration files that needs to be changed.
-
Admin about 10 yearshi the configuration are the same on both machines , the machines are the same , so what next , what I need to check?
-
Admin over 5 yearsi can't even traceroute to localhost, how strange
-
Admin over 4 yearsThe stars disappeared when I disabled my firewall with
iptables -F
. It is due to my firewall configuration blocking everything not going through my VPN and I just wanted to traceroute an IP address that I allowed to bypass VPN with route and iptables commands.
-
Admin about 10 yearsso the stars are a bad sign? - they indicate about problem ?
-
Admin about 10 yearsbut if they block by the Firewall so I have problem -
-
Admin about 10 yearsbut how to know if the problem in my linux machine / or maybe the problem is some external isshue?
-
Admin about 10 yearsthis machine is in the network I have some other machine but the output on the other machine is diff ( not all stars )
-
Admin about 10 yearsdid you mean about the linux firewall ? or other firewall ?
-
Admin about 10 yearsso how you explain if some machine are ok and some othe rmachine in the smae network have bad results ( stars )
-
Admin about 10 yearsno all machines are red-hat exepet one unbuntu machine ( all them are VM machine ) , not understand why some of them are ok and some of them get bad results from traceroute
-
Anthon about 10 yearsA bit more detail on how to do that would be helpful.
-
Admin about 10 yearsplease advice about the commands that need to run on my linux machine in order to check the firewall / NAT as you explained
-
Admin about 10 yearshi again the file iptables is the same on both machine ( the good one have the same file as the faulty one )
-
Ramesh about 10 yearsI believe both these machines might be forwarding the packets to some other machine and so in that machine it is possible that the packets from machine B is blocked. I suggest you to open another question with the
/etc/sysconfig/iptables
rules in the question which will help people debug the issue. -
Rui F Ribeiro over 5 yearsICMP per se is not being entirely blocked as the OP is doing pings.
-
Pedro Lobito about 4 yearsI get
connect: Operation not supported
-
killjoy over 2 yearsThis requires root privileges.
-
2pha about 2 years-T to use TCP port 80 did it for me. eg
traceroute -T google.com