08-14-2013 05:44 AM - edited 03-07-2019 02:55 PM
Hi,
Does anyone know how to find ttl from ping on cisco devices?
For example on windows I can find out
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=40ms TTL=49
Reply from 8.8.8.8: bytes=32 time=41ms TTL=49
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
How can I see the TTL?
08-14-2013 08:03 AM
Hi,
The TTL as defined in all RFC states that it is Time to Live; however it was never implemented as time; however it was implemented as hop count.
Regards,
Smitesh
08-14-2013 08:10 AM
There's not an easy way to do it. I ran debugs for icmp and ip packets and neither show the ttl. From what I've read, it's 255 but it's not seen anywhere on the router:
*Mar 1 00:56:03.203: ICMP: echo reply rcvd, src 172.13.0.1, dst 172.13.0.3
*Mar 1 00:50:38.803: IP: tableid=0, s=172.32.0.3 (local), d=172.32.0.2 (Serial0/2), routed via FIB
*Mar 1 00:50:38.803: IP: s=172.32.0.3 (local), d=172.32.0.2 (Serial0/2), len 100, sending
*Mar 1 00:50:38.803: ICMP type=8, code=0
I've also tried verbose extended pings, and it doesn't report the ttl either...
HTH,
John
*** Please rate all useful posts ***
08-14-2013 09:10 AM
I agree with John. There's no easy way it would seem.
I also tried the same things, and even got a little more dangerous using debug ip packet detail(with an ACL) and still no sign of the TTL used.
I did a capture with tcpdump on an RHEL server on the same subnet as the router, and confirm what John says in that the initial TTL of a ping from an IOS router is 255.
[sfuller@rhel8 ~]$ sudo tcpdump -vvv -i bond0 icmp
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
16:30:08.842129 IP (tos 0x0, ttl 255, id 20, offset 0, flags [none], proto: ICMP (1), length: 100) ocs6504-1-vl11.ntilab.net > rhel8-bond0.ntilab.net: ICMP echo request, id 4, seq 0, length 80
16:30:08.859916 IP (tos 0x0, ttl 64, id 43802, offset 0, flags [none], proto: ICMP (1), length: 100) rhel8-bond0.ntilab.net > ocs6504-1-vl11.ntilab.net: ICMP echo reply, id 4, seq 0, length 80[..]
The good news, though only if you're likely to use NX-OS devices now or in the future, is that NX-OS does include the TTL:
n5548-1# ping rhel8
Using IP address of interface loopback0
PING rhel8-bond0.ntilab.net (192.168.11.115): 56 data bytes
64 bytes from 192.168.11.115: icmp_seq=0 ttl=60 time=1.087 ms
64 bytes from 192.168.11.115: icmp_seq=1 ttl=60 time=0.988 ms
[..]
Regards
08-15-2013 11:37 PM
Hi,
Thanks for the input. I already tried with debug ip packet and with details.
What I am tryin to do is find out the TTL from ping to another host. I know that the TTL of Cisco is 255.
I want to know what kind of OS a host is running, Fort example if I get a TTL of 64 I know that that host is running linux, and if I get a TTL of 128 it'a a windows machine.
I was searching for this for some time, and I thought somebody knew a way
08-16-2013 01:26 AM
Hi,
Probably NMAP or any other Penetration Tool might be something you should check.
HTH,
Smitesh
08-17-2013 09:19 AM
hi,
best way is to run wireshark.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: