Time to live (TTL) Question...

Unanswered Question
Jun 10th, 2008
User Badges:

Hi Experts,


I would like to check, what is this TTL means?


When i ping from main office to branch office user network range, it gives me TTL=253,(which i believe is normal)..


But when i ping from branch office to main site, the TTL only 125.


Why it is so?


Reply from 122.120.4.20: bytes=32 time=4ms TTL=125

Reply from 122.120.4.20: bytes=32 time=6ms TTL=125


Thanks in advanced..


cindy


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
n.nandrekar Tue, 06/10/2008 - 20:06
User Badges:
  • Silver, 250 points or more

Hi!

Is the connectivity through MPLS cloud? Is it a L3 or L2 VPN? Can you do a traceroute and post the results?


Regards,

Niranjan

cindylee27 Tue, 06/10/2008 - 20:23
User Badges:

Thanks Niranjan,


Tracing route to sgc.gb[13.11.8.11]

over a maximum of 30 hops:


1 <1 ms <1 ms <1 ms 13.11.29.253

2 <1 ms <1 ms <1 ms 13.11.26.252

3 4 ms 3 ms 3 ms 13.10.254.249

4 6 ms 10 ms 5 ms 13.11.10.1

5 5 ms 5 ms 5 ms sgc.gb [13.11.8.11]


And it is going throught 10M Metro Ethernet line..


n.nandrekar Tue, 06/10/2008 - 21:38
User Badges:
  • Silver, 250 points or more

Hi!

It could be because of the host you are using to sent the ping packets. The default TTL value might be different.

eg.

I pinged my own interface, on windows-XP machine to confirm the default ttl set by windows. It turns out to be 128

C:\Documents and Settings\niranjan>ping localhost


Pinging niranjan-wxp.cisco.com [127.0.0.1] with 32 bytes of data:


Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128


Ping statistics for 127.0.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms


C:\Documents and Settings\niranjan>



So are you pinging from the router/unix host from 1 side and windows ffrom the other?

Can you check the default TTL when the ping is sent from either side? Maube u coyuld use self-ping / ethereal.


Hope this will solve your query.


Regards,

Niranjan.


(Please rate helpful posts.)

cindylee27 Tue, 06/10/2008 - 22:09
User Badges:

I ping from host to host...

host A ping to host B : TTL=127

Host B to Host A : TTL=253


Thanks.


n.nandrekar Tue, 06/10/2008 - 22:21
User Badges:
  • Silver, 250 points or more

Did your issue get solved?

I was telling to ping self-ip-address. Ping from host A to hostA itself.

You will notice that one of the hosts is sending the ping with default TTL of 128. They would be controlled by the OS you are runnign on the host. The other host is using the default ttl of 255. So you are seeing such a difference on both directions.

If you calculate based on this, you have just 2 hops in one direction and 3 in the other. It is quiet possible that the traffic takes a different path in reverse direction due to which u might see an extra hop. That path will depend on the routing information.


Hope this answers your question. Please mark the question as solved if it does. Else revert with any issues still unclear.


Regards,

Niranjan

cindylee27 Tue, 06/10/2008 - 22:30
User Badges:

THe other host (HOST B) when ping to self ping also showing TTL = 128.


but ping to host A is TTL= 253.


n.nandrekar Tue, 06/10/2008 - 22:47
User Badges:
  • Silver, 250 points or more

That is correct. The host B sends an icmp echo request with a default TTL of 128. So a self ping shows TTL of 128. But when it Pings to A, A sends ICMP echo response with its default TTL of 255 which becomes 253 by the time it reaches B.

The TTL displayed by B is the TTL in the response packet that is sent by A.

Similarly, if you self-ping from A, you will see a default TTL of 255 used. But if you ping from A to B, you will see a TTL of 125 as B sends the response with default TTL of 128.


Regards,

Niranjan

mohammedmahmoud Tue, 06/10/2008 - 23:01
User Badges:
  • Green, 3000 points or more

Hi,


The Time-to-live (TTL) tells us how long a packet can stay on the wire. It is decremented by one for each hop (router) that the packet passes through. When the TTL drops to 0, the packet is discarded by the router. With ping, the TTL is all about the destination and has nothing to do with the source, since the value printed in the output is from the echo reply (packets sent from the destination) - Although if by any mean you can debug or sniff the echo request packets you'll notice that it uses the TTL of the local system - different OS uses different TTL (considered as an aspect of the OS fingerprinting, an initial TTL value can say a lot about an operating system), for example:


Windows: 128

Linux: 64

Cisco: 255

Solaris: 255


BR,

Mohammed Mahmoud.

Pravin Phadte Wed, 06/11/2008 - 00:57
User Badges:
  • Silver, 250 points or more

Mohammed is correct and thats the way it is.


All cisco routers will ping with TTL255 and windos with TTL 128. On each hop it will be reduced.


Thats how the arch is designed.


Intel Swithes - 64

Cisco Firewall or Checkpoint will repond with - 64


Long time back i had read about this and it also said that hackers use this ping command understand the device which is reponcing.


Above is some good explanation and most of try to ignore this theory of TTL.


Links below will help more to understand.


http://members.cox.net/~ndav1/self_published/TTL_values.html


Actions

This Discussion