cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
123946
Views
30
Helpful
17
Replies

TTL value in PING response

avilt
Level 3
Level 3

Can someone explain to me in details on what basis the TTL value is displayed when we ping a remote host.

I am pinging a remote host from my WindowsXP system. Sometimes the TTL value is less than 127 and some times its close to 255. Both the resources are on internet.

17 Replies 17

shrikar.dange
Level 1
Level 1

hi,

In my knowledge the TTL value is the number of hops the packet takes along the path till destination.The number of hops is equal to the number of L3 devices through which the packet has traversed.Each time the packet arrives @ L3 device it processes it and forwards with decreaseD TTL value.

The different numbers in your case may be because the packet must be travelling from different paths.

HTH,

regards,

shri :)

I am pinging resource X which is 26 hops away and resource Y which is 16 hops away from my system.

C:\>ping x.x.x.x

Pinging x [x.x.x.x] with 32 bytes of data:

Reply from x.x.x.x: bytes=32 time=289ms TTL=236

C:\>ping y.y.y.y

Pinging y [y.y.y.y] with 32 bytes of data:

Reply from y.y.y.y: bytes=32 time=19ms TTL=112

On what basis the upper TTL value is taken? Why the TTL value is 236 when I ping X and TTL value is 112 in case of Y?

Hi

Is y a windows machine and x a non-windows machine ?

Windows machines use a TTL beginning at 127 whereas unix/cisco devices use a TTL starting at 255.

HTH

Jon

My source machine is Windows XP, I do not know about X and Y.

Source machine doesn't really matter, it's what the destination machine uses as it's TTL when it generates the ICMP echo response.

Jon

Hi Jon

"Windows machines use a TTL beginning at 127 whereas unix/cisco devices use a TTL starting at 255. "

That is a useful nugget of information which was previously unknown to me which I though merited a rating.

Best Regards & Many Thanks,

Michael

Michael

Many thanks for that, nice to be appreciated :)

Jon

Hi Jon,

I just want to add to your very valuable information, as you said the TTL is all about the destination and has nothing to do with the source, different OS has different TTL (considered as an aspect of the OS fingerprinting):

Windows: 128

Linux: 64

Cisco: 255

Solaris: 255

below are ping results from the LAN to an example of all those from the same source:

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

BR,

Mohammed Mahmoud.

Hi Mohammed

Good to see you back in action.

Jon

Hi Jon,

I am very glade too. Hope you are fine. I've tried to reply on your email a couple of days ago, but i get "Delivery to the following recipients failed due to a permanent error" "Remote host said: 550 This system has been configured to reject your mail (B)".

BR,

Mohammed Mahmoud.

Mohammed

Not sure what's happening with the e-mail. I have 2 e-mail addresses

jon.marshall@networkrail.co.uk

jon.j.marshall@networkrail.co.uk

Probably the first is the best one to try.

Jon

Hi Mohammed,

it is very nice answer. Can you explain the relationship between ping's TTL and count of hops in traceroute? When I tried something, I thing that it is

ping's TTL == traceroute hops - 2.

Is it correct? And why it is so? But in my images from terminal it is not so always. Thank you very much!?

That was a valuable information shared by you, thanks a lot.

 

please find my PC output for the ping, am trying to ping my default gateway which should not decrease any TTL value. And it shows 64 does that means my Windows laptop sending the PING packet with TTL set to 64 not 128.

 


Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::70b3:d2d6:3d69:3f5a%11
IPv4 Address. . . . . . . . . . . : 192.168.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::1%11
192.168.1.1

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\Users\Vishnu>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=9ms TTL=64
Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.1: bytes=32 time=9ms TTL=64
Reply from 192.168.1.1: bytes=32 time=6ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 9ms, Average = 7ms

Please do not hesitate to click the STAR button if you are satisfied with my answer.

The TTL in the ping response was set by the device at 192.168.1.1 and has nothing at all to do with the TTL set by your PC in the ping request.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco