Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Why the different TTL?

- - - - -

  • Please log in to reply
15 replies to this topic

#1
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

I think the image says it all...

 

ZvjzTHn.png

 

Note: I have DefaultTTL=dword:ff in currentcontrolset\services\tcpip\parameters

 

GL

 




How to remove advertisement from MSFN

#2
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts

I hope this will answer your question.



#3
MrJinje

MrJinje

    Toolâ„¢ Developer

  • Developer
  • 1,031 posts
  • OS:none specified
  • Country: Country Flag

because it went through more hops to get there.   Each hop reduces the TTL by one.   Apparently it is less 4 less hops to get to google than yahoo from your DNS provider.


Edited by MrJinje, 06 October 2013 - 12:36 AM.


#4
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

Oh, TTL is different for "normal" packets and for ping? How can I check my "normal" TTL?

 

@allen2: I still don't understand, see image: nfPaaxO.png

 

TTL is always 58 (now).

 

GL



#5
jaclaz

jaclaz

    The Finder

  • Developer
  • 13,987 posts
  • OS:none specified
  • Country: Country Flag

Oh, TTL is different for "normal" packets and for ping? How can I check my "normal" TTL?

Try doing another thing:



ping 127.0.0.1

or:



ping localhost

What do you get as TTL (64, 128, or what)?

 

Then check this:

http://www.corenetwo...ng-packets.html

 

jaclaz


Edited by jaclaz, 06 October 2013 - 04:01 AM.


#6
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

ping 127.0.0.1 gives 255. OK, that's about settled, then.

 

Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? :unsure:

 

GL



#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 13,987 posts
  • OS:none specified
  • Country: Country Flag

ping 127.0.0.1 gives 255. OK, that's about settled, then.

 

Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? :unsure:

 

GL

It is possible, but what you get is not AFAICU the "remaining" from the TTL you attribute to the ping (which is the time to live that you give to "your" ping, i.e. how many hops are allowed to get to the target) but rather what remains from what the target attributes to the "return" packet, i.e. how many hops were encountered from the target (if the target gives to the return packet of 64 - like a number of servers do, this would explain the behaviour nicely). :unsure:

 

Try running this ;):





for /L %A IN (1,1,20) do @ping -n 1 -i %A 8.8.8.8 | FIND "TTL"

then ping the "intermediate" servers and see what results you get.

 

Or use this as a batch (pingttl.cmd):

@ECHO OFF
SET target=8.8.8.8
FOR /L %%? IN (1,1,20) DO (
FOR /F "tokens=3 delims=: " %%A IN ('ping -n 1 -i %%? %target% ^| FIND "TTL"') DO ECHO %%? %%A & ping -n 1 %%A | FIND "TTL"
)

Any intermediate "hop" may provide a pingback or not, and decide to give to the forwarded packet a different TTL.

jaclaz


Edited by jaclaz, 06 October 2013 - 07:10 AM.


#8
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

@jaclaz:

 

Output from the first command (redirecting with > file.txt gives only one line, so again a screenshot):

 

nZmmrZ0.png

 

Output from the second .bat (redirected):

 

1 192.168.0.1
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
2 89.205.44.1
Reply from 89.205.44.1: bytes=32 time=158ms TTL=254
3 89.205.126.1
Reply from 89.205.126.1: bytes=32 time=195ms TTL=253
5 91.212.235.10
Reply from 91.212.235.10: bytes=32 time=163ms TTL=60
6 209.85.240.162
Reply from 209.85.240.162: bytes=32 time=268ms TTL=55
7 72.14.234.11
8 209.85.254.118
10 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=200ms TTL=47
11 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=223ms TTL=47
12 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=185ms TTL=47
13 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=314ms TTL=47
14 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=200ms TTL=47
15 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=223ms TTL=47
16 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=216ms TTL=47
17 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=252ms TTL=47
18 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=202ms TTL=47
19 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=203ms TTL=47
20 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=188ms TTL=47

 

I understand less and less each time :)

 

GL



#9
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

OK, started to understand a little. I pinged each address individually from the first screenshot in the post above (I don't edit because in my experience with the new board software, it will mess up the codebox) and I see that the third hop after my router (exit of my country) reduces TTL to 60. That can be seen also in the second result (codebox) - now that I've seen it, its' easy to understand.  :thumbup

 

 

It's settled then (apart from any angry letters I may write).  :whistle:

 

[edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.

 

GL


Edited by GrofLuigi, 06 October 2013 - 02:17 PM.


#10
jaclaz

jaclaz

    The Finder

  • Developer
  • 13,987 posts
  • OS:none specified
  • Country: Country Flag

 

[edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.

 

GL

Well for all you (or I) can know, it is very possible that the PC "attributes" a TTL (time to live) of 64 for packets belonging to the intranet (192.168.0.1 and most probably 255.255.255.0) and a longer 255 one to the ones going "outside".

 

jaclaz



#11
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

OK, it seems there's not much I can do. Thank you all for replying.

 

GL

 



#12
jaclaz

jaclaz

    The Finder

  • Developer
  • 13,987 posts
  • OS:none specified
  • Country: Country Flag

OK, it seems there's not much I can do. Thank you all for replying.

 

GL

 

Well, you can try to ping localhost (or 127.0.0.1), which gave you 255 against pinging "self" with the actual PC IP address 192.168.x.y and pinging other devices in your intranet (if it gives 64 the matter is nicely explained, IMHO).

 

jaclaz



#13
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

XzN9mmk.png

 

I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).

 

GL



#14
jaclaz

jaclaz

    The Finder

  • Developer
  • 13,987 posts
  • OS:none specified
  • Country: Country Flag

I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).

 

GL

Very likely, as said before, what you get is the TTL of the return packet, and it is the router that only sends TTL 64  :unsure:

On my (XP) PC, if I ping "self", I get TTL 128, if I ping my router I get TTL 64, if I ping other PC's I still get TTL 128, but if I ping a (network) Brother printer I have, I get TTL 60 :w00t:, so I believe that is the "target" that sets what you get back.

 

jaclaz



#15
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,672 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

It looks like it has something to do with the OS on the router. Here is a collection of info that may or may not be related, but led me to that possible answer.

 

It is worth to notice that RFC1700 recommends to use 64 as initial TTL value [8]. This is however not followed by most router manufacturers.

//

A router signature is made of a n-tuple of n iTTLs, those iTTLs being retrieved from different ICMP messages.

//

While many different platforms could correspond to the same signature, we know the signature of some well known platforms (to this purpose, we performed a bunch of tests in an emulation lab). For instance, Cisco routers generate signature < 255, 255 > while, for Juniper routers, we have < 255, 64 > with Junos and < 128, 128 > with JunosE. Some Brocade and Alcatel equipment together with some Linux boxes result in a < 64, 64 > signature.

 

http://conferences.s...5-vanaubelA.pdf

 

A handy OS reference:

http://www.binbert.c...ive-ttl-values/

 

There are a bunch of Linux tutorials on how to configure a router's TTL value, which is this (partial) command: match u8 64

 

This in google may lead to something more:

 

"match u8 64" ttl "router"

MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#16
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,349 posts
  • OS:none specified
  • Country: Country Flag

Well, I must say, if it doesn't clean up its act, there is a DD-WRT.zip waiting on my HDD with its name on it. :)

 

GL






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN