TTL value in PING response

Unanswered Question
Jan 14th, 2008
User Badges:

Can someone explain to me in details on what basis the TTL value is displayed when we ping a remote host.

I am pinging a remote host from my WindowsXP system. Sometimes the TTL value is less than 127 and some times its close to 255. Both the resources are on internet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
shrikar.dange Mon, 01/14/2008 - 22:38
User Badges:
  • Bronze, 100 points or more

hi,


In my knowledge the TTL value is the number of hops the packet takes along the path till destination.The number of hops is equal to the number of L3 devices through which the packet has traversed.Each time the packet arrives @ L3 device it processes it and forwards with decreaseD TTL value.

The different numbers in your case may be because the packet must be travelling from different paths.


HTH,


regards,


shri :)

avilt Mon, 01/14/2008 - 23:08
User Badges:

I am pinging resource X which is 26 hops away and resource Y which is 16 hops away from my system.


C:\>ping x.x.x.x


Pinging x [x.x.x.x] with 32 bytes of data:

Reply from x.x.x.x: bytes=32 time=289ms TTL=236



C:\>ping y.y.y.y


Pinging y [y.y.y.y] with 32 bytes of data:

Reply from y.y.y.y: bytes=32 time=19ms TTL=112



On what basis the upper TTL value is taken? Why the TTL value is 236 when I ping X and TTL value is 112 in case of Y?

Jon Marshall Tue, 01/15/2008 - 00:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Is y a windows machine and x a non-windows machine ?


Windows machines use a TTL beginning at 127 whereas unix/cisco devices use a TTL starting at 255.


HTH


Jon

avilt Tue, 01/15/2008 - 00:28
User Badges:

My source machine is Windows XP, I do not know about X and Y.

Jon Marshall Tue, 01/15/2008 - 00:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Source machine doesn't really matter, it's what the destination machine uses as it's TTL when it generates the ICMP echo response.


Jon

Jon Marshall Tue, 01/15/2008 - 23:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


Many thanks for that, nice to be appreciated :)


Jon

mohammedmahmoud Wed, 01/16/2008 - 05:27
User Badges:
  • Green, 3000 points or more

Hi Jon,


I just want to add to your very valuable information, as you said the TTL is all about the destination and has nothing to do with the source, different OS has different TTL (considered as an aspect of the OS fingerprinting):


Windows: 128

Linux: 64

Cisco: 255

Solaris: 255


below are ping results from the LAN to an example of all those from the same source:



Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128



Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64



Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255



Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255




BR,

Mohammed Mahmoud.

Jon Marshall Thu, 01/17/2008 - 02:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mohammed


Good to see you back in action.


Jon

mohammedmahmoud Thu, 01/17/2008 - 02:52
User Badges:
  • Green, 3000 points or more

Hi Jon,


I am very glade too. Hope you are fine. I've tried to reply on your email a couple of days ago, but i get "Delivery to the following recipients failed due to a permanent error" "Remote host said: 550 This system has been configured to reject your mail (B)".



BR,

Mohammed Mahmoud.

Hi Mohammed,

it is very nice answer. Can you explain the relationship between ping's TTL and count of hops in traceroute? When I tried something, I thing that it is

ping's TTL == traceroute hops - 2.

Is it correct? And why it is so? But in my images from terminal it is not so always. Thank you very much!

Terminal: ping's TTL and traceroute
?


Terminal: ping's TTL and traceroute

Terminal: ping's TTL and traceroute

Actions

This Discussion