Performing a traffic trace

Traffic tracing allows you to follow a specific packet stream. This is useful when you want to confirm that packets are using the route you expect them to take on your network.

To view traffic sessions:

Use this command to view the characteristics of a traffic session though specific security policies.

diagnose sys session

To trace per-packet operations for flow tracing:

diagnose debug flow

To trace per-Ethernet frame:

diagnose sniffer packet

To trace a route from a FortiGate to a destination IP address:

# execute traceroute www.fortinet.com

traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets

1 172.20.120.2 0.637 ms 0.653 ms 0.279 ms

2 209.87.254.221 <static-209-87-254-221.storm.ca> 2.448 ms 2.519 ms 2.458 ms

3 209.87.239.129 <core-2-g0-2.storm.ca> 2.917 ms 2.828 ms 9.324 ms

4 209.87.239.199 <core-3-bdi1739.storm.ca> 13.248 ms 12.401 ms 13.009 ms

5 216.66.41.113 <v502.core1.tor1.he.net> 17.181 ms 12.422 ms 12.268 ms

6 184.105.80.9 <100ge1-2.core1.nyc4.he.net> 21.355 ms 21.518 ms 21.597 ms

7 198.32.118.41 <ny-paix-gni.twgate.net> 83.297 ms 84.416 ms 83.782 ms

8 203.160.228.217 <217-228-160-203.TWGATE-IP.twgate.net> 82.579 ms 82.187 ms 82.066 ms

9 203.160.228.229 <229-228-160-203.TWGATE-IP.twgate.net> 82.055 ms 82.455 ms 81.808 ms

10 203.78.181.2 82.262 ms 81.572 ms 82.015 ms

11 203.78.186.70 83.283 ms 83.243 ms 83.293 ms

12 66.171.127.177 84.030 ms 84.229 ms 83.550 ms

13 66.171.121.34 <www.fortinet.com> 84.023 ms 83.903 ms 84.032 ms

14 66.171.121.34 <www.fortinet.com> 83.874 ms 84.084 ms 83.810 ms