TTL value in PING response

avilt · ‎01-14-2008

Can someone explain to me in details on what basis the TTL value is displayed when we ping a remote host.

I am pinging a remote host from my WindowsXP system. Sometimes the TTL value is less than 127 and some times its close to 255. Both the resources are on internet.

shrikar.dange · ‎01-14-2008

hi,

In my knowledge the TTL value is the number of hops the packet takes along the path till destination.The number of hops is equal to the number of L3 devices through which the packet has traversed.Each time the packet arrives @ L3 device it processes it and forwards with decreaseD TTL value.

The different numbers in your case may be because the packet must be travelling from different paths.

HTH,

regards,

shri :)

avilt · ‎01-14-2008

I am pinging resource X which is 26 hops away and resource Y which is 16 hops away from my system.

C:\>ping x.x.x.x

Pinging x [x.x.x.x] with 32 bytes of data:

Reply from x.x.x.x: bytes=32 time=289ms TTL=236

C:\>ping y.y.y.y

Pinging y [y.y.y.y] with 32 bytes of data:

Reply from y.y.y.y: bytes=32 time=19ms TTL=112

On what basis the upper TTL value is taken? Why the TTL value is 236 when I ping X and TTL value is 112 in case of Y?

Jon Marshall · ‎01-15-2008

Hi

Is y a windows machine and x a non-windows machine ?

Windows machines use a TTL beginning at 127 whereas unix/cisco devices use a TTL starting at 255.

HTH

Jon

avilt · ‎01-15-2008

My source machine is Windows XP, I do not know about X and Y.

Jon Marshall · ‎01-15-2008

Source machine doesn't really matter, it's what the destination machine uses as it's TTL when it generates the ICMP echo response.

Jon

keeleym · ‎01-15-2008

Hi Jon

"Windows machines use a TTL beginning at 127 whereas unix/cisco devices use a TTL starting at 255. "

That is a useful nugget of information which was previously unknown to me which I though merited a rating.

Best Regards & Many Thanks,

Michael

Jon Marshall · ‎01-15-2008

Michael

Many thanks for that, nice to be appreciated :)

Jon

mohammedmahmoud · ‎01-16-2008

Hi Jon,

I just want to add to your very valuable information, as you said the TTL is all about the destination and has nothing to do with the source, different OS has different TTL (considered as an aspect of the OS fingerprinting):

Windows: 128

Linux: 64

Cisco: 255

Solaris: 255

below are ping results from the LAN to an example of all those from the same source:

Reply from 10.10.99.2: bytes=32 time<1ms TTL=128

Reply from 10.10.99.166: bytes=32 time<1ms TTL=64

Reply from 10.10.99.1: bytes=32 time=1ms TTL=255

Reply from 10.10.99.13: bytes=32 time=1ms TTL=255

BR,

Mohammed Mahmoud.

Jon Marshall · ‎01-17-2008

Hi Mohammed

Good to see you back in action.

Jon

mohammedmahmoud · ‎01-17-2008

Hi Jon,

I am very glade too. Hope you are fine. I've tried to reply on your email a couple of days ago, but i get "Delivery to the following recipients failed due to a permanent error" "Remote host said: 550 This system has been configured to reject your mail (B)".

BR,

Mohammed Mahmoud.

Jon Marshall · ‎01-17-2008

Mohammed

Not sure what's happening with the e-mail. I have 2 e-mail addresses

jon.marshall@networkrail.co.uk

jon.j.marshall@networkrail.co.uk

Probably the first is the best one to try.

Jon

svo · ‎04-18-2017

Hi Mohammed,

it is very nice answer. Can you explain the relationship between ping's TTL and count of hops in traceroute? When I tried something, I thing that it is

ping's TTL == traceroute hops - 2.

Is it correct? And why it is so? But in my images from terminal it is not so always. Thank you very much!?

Vishnu Vardhan S · ‎02-12-2019

That was a valuable information shared by you, thanks a lot.

please find my PC output for the ping, am trying to ping my default gateway which should not decrease any TTL value. And it shows 64 does that means my Windows laptop sending the PING packet with TTL set to 64 not 128.

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::70b3:d2d6:3d69:3f5a%11
IPv4 Address. . . . . . . . . . . : 192.168.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::1%11
192.168.1.1

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\Users\Vishnu>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=9ms TTL=64
Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.1: bytes=32 time=9ms TTL=64
Reply from 192.168.1.1: bytes=32 time=6ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 9ms, Average = 7ms

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Richard Burts · ‎02-13-2019

The TTL in the ping response was set by the device at 192.168.1.1 and has nothing at all to do with the TTL set by your PC in the ping request.

HTH

Rick

HTH

Rick