Knowledge Base

All hops show 100% packet loss

Question

When I try to trace to a destination with PingPlotter, and I get "Destination Address Unreachable" at hop #1. How do I correct this situation?

Solution

With the advent of internet security threats, many firewalls lock down all outgoing network traffic. This is especially true for software firewalls.

The symptoms of this is that you see "Destination Address Unreachable" at hop 1, and you're just unable to collect any network data. You might also be getting an error message in PingPlotter above the graph.

If you're seeing these symptoms, then you might have some kind of network firewall software installed on your computer. Some examples of this are: Zone Alarm, Norton Internet Security, or some other product with the name "Security" or "Firewall" in the title. Microsoft also provides a built-in firewall with newer versions of Windows called "Internet Connection Firewall", and this can be configured to block ICMP as well.

It may also be that some other piece of software was installed that added a firewall to your system. If you're using a VPN to connect to your company, there are some VPN packages that will install a firewall, one notable example of this is the AT&T Network Client.

Many of these firewalls use "by application" network blocking. In this type of firewall, you need to flag specific applications that you want to give access to the internet. Since our tools are network monitoring tools, they do need access to the network. If you're using a firewall of this type (ZoneAlarm is one of the most popular), go into that application to allow PingPlotter to have network access.

If PingPlotter or MultiPing worked fine before you updated to a new version of PingPlotter or MultiPing, then it may be that your firewall software blocks access by program and version. ZoneAlarm is one firewall product that does this. Usually, you'll get prompted when you first run the new version, but in some cases you may not (or you may be used to saying "no, don't allow access"). In this case, you'll need to go to your firewall software and explicitly allow access to the right version of PingPlotter - or tell your firewall software not to worry about the version number and just always allow access (in ZoneAlarm, this is the "Changes Frequently" option).

If you're using a generic "block certain kinds of network traffic" firewall, you'll need to configure that to allow ICMP echo requests, ICMP echo replies, ICMP TTL Expired and ICMP TTL Destination Unreachable to pass through your firewall. The options for doing this differ between brands of firewall software, but some firewall vendors address this in their online help or knowledgebases.

In some case, you may need to disable the network firewall to allow PingPlotter (and similar applications like "PING" and "TRACERT") to work. Often, you might start out by completely disabling the firewall for a short period of time, to verify that the firewall is the thing blocking PingPlotter, and once you determine that this is the cuplrit, reenable the firewall and search for settings that allow PingPlotter to work.


Article Rating (28 Votes)

Rate this article


Article Info

Article Number: 27 | Last Updated: November 16, 2016

This article has been viewed 21166 times since May 8, 2004

Filed Under: Usage

Attachments

There are no attachments for this article.