Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkhabbazi
Staff
Staff

Created on ‎08-24-2023 09:11 AM Edited on ‎08-13-2024 08:50 AM By Staff

Article Id 270250

Technical Tip: Explaining traceroutes

Description

This article describes traceroutes.
Scope FortiOS.
Solution

Any packets forwarded to the internet will pass through different routers. However, for each instance of traffic, one path to reach the destination will be selected and traceroute will provide information about the path and the traffic.

 

See the three examples below:

 

execute traceroute 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.678 ms  2.544 ms  1.979 ms

 2  154.11.15.107  2.331 ms  3.235 ms  2.971 ms

 3  154.11.15.73 <qubcpqajdr02.bb.telus.com>  4.216 ms  19.313 ms  23.510 ms

 4  1.1.1.1 <one.one.one.one>  3.252 ms  2.992 ms  2.945 ms

 

execute traceroute harvard.edu

traceroute to harvard.edu (151.101.194.133), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.966 ms  2.809 ms  2.979 ms

 2  154.11.6.192  15.983 ms  19.186 ms  14.981 ms

 3  * * *

 4  151.101.194.133 <harvard.edu>  16.532 ms  16.722 ms  14.887 ms

 

execute  traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.863 ms  2.883 ms  2.988 ms

 2  154.11.15.111  7.361 ms  14.821 ms  10.321 ms

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 

Each * in the traceroute output represents one ICMP probe that received no response.

 

If there are three stars, then all three ICMP probes that were sent out had received no responses.

 

In the output, the IP address of each hop and TTL is visible.

 

The second line in the three trace routes examples demonstrates that the traffic is going to different paths. This is because the network conditions changed.

 

In the third line of the second traceroute output, '***' appeared.

This may be because a router was not free to answer the traceroute and assumed it was a low priority request. Repeating the traceroute for the same destination a few times may retrieve different output.

If the same output ('***') appears each time, the hop is temporary overloaded.

 

In the third trace route, responses were received until step 2, but nothing was received afterwards. The organization may have set up its routers to not respond to traceroute (which is a common security practice to avoid providing information about the network to external actors), which would explain why no further responses are received.

 

If IPv6 is enabled in the FortiGate's feature visibility settings and an IPv6 address is configured on an interface, it is possible to traceroute IPv6 destination addresses using the command below:

 

   execute tracert6 ?
      arg     please input args

 

   execute tracert6 2001:db8:a0b:13e0::6
   tracert6 to 2001:db8:a0b:13e0::6 (2001:db8:a0b:13e0::6), 30 hops max, 40/8 byte payload/paddata
    1 * * *
    2 * * *

 

Related article:

Troubleshooting Tip: Using traceroute options from FortiGate CLI 
1298
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.