Find TTL value from ping Cisco

danto · ‎08-14-2013

Hi,

Does anyone know how to find ttl from ping on cisco devices?

For example on windows I can find out

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=40ms TTL=49

Reply from 8.8.8.8: bytes=32 time=41ms TTL=49

R1#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms

How can I see the TTL?

smitesh kharecha · ‎08-14-2013

Hi,

The TTL as defined in all RFC states that it is Time to Live; however it was never implemented as time; however it was implemented as hop count.

Regards,

Smitesh

John Blakley · ‎08-14-2013

There's not an easy way to do it. I ran debugs for icmp and ip packets and neither show the ttl. From what I've read, it's 255 but it's not seen anywhere on the router:

*Mar 1 00:56:03.203: ICMP: echo reply rcvd, src 172.13.0.1, dst 172.13.0.3

*Mar 1 00:50:38.803: IP: tableid=0, s=172.32.0.3 (local), d=172.32.0.2 (Serial0/2), routed via FIB

*Mar 1 00:50:38.803: IP: s=172.32.0.3 (local), d=172.32.0.2 (Serial0/2), len 100, sending

*Mar 1 00:50:38.803: ICMP type=8, code=0

I've also tried verbose extended pings, and it doesn't report the ttl either...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Steve Fuller · ‎08-14-2013

I agree with John. There's no easy way it would seem.

I also tried the same things, and even got a little more dangerous using debug ip packet detail(with an ACL) and still no sign of the TTL used.

I did a capture with tcpdump on an RHEL server on the same subnet as the router, and confirm what John says in that the initial TTL of a ping from an IOS router is 255.

[sfuller@rhel8 ~]$ sudo tcpdump -vvv -i bond0 icmp
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
16:30:08.842129 IP (tos 0x0, ttl 255, id 20, offset 0, flags [none], proto: ICMP (1), length: 100) ocs6504-1-vl11.ntilab.net > rhel8-bond0.ntilab.net: ICMP echo request, id 4, seq 0, length 80
16:30:08.859916 IP (tos 0x0, ttl 64, id 43802, offset 0, flags [none], proto: ICMP (1), length: 100) rhel8-bond0.ntilab.net > ocs6504-1-vl11.ntilab.net: ICMP echo reply, id 4, seq 0, length 80
[..]

The good news, though only if you're likely to use NX-OS devices now or in the future, is that NX-OS does include the TTL:

n5548-1# ping rhel8
Using IP address of interface loopback0
PING rhel8-bond0.ntilab.net (192.168.11.115): 56 data bytes
64 bytes from 192.168.11.115: icmp_seq=0 ttl=60 time=1.087 ms
64 bytes from 192.168.11.115: icmp_seq=1 ttl=60 time=0.988 ms
[..]

Regards

danto · ‎08-15-2013

Hi,

Thanks for the input. I already tried with debug ip packet and with details.

What I am tryin to do is find out the TTL from ping to another host. I know that the TTL of Cisco is 255.

I want to know what kind of OS a host is running, Fort example if I get a TTL of 64 I know that that host is running linux, and if I get a TTL of 128 it'a a windows machine.

I was searching for this for some time, and I thought somebody knew a way

smitesh kharecha · ‎08-16-2013

Hi,

Probably NMAP or any other Penetration Tool might be something you should check.

HTH,

Smitesh

johnlloyd_13 · ‎08-17-2013

hi,

best way is to run wireshark.