Sign in to follow this  
Followers 0
GrofLuigi

Why the different TTL?

16 posts in this topic

I think the image says it all...

ZvjzTHn.png

Note: I have DefaultTTL=dword:ff in currentcontrolset\services\tcpip\parameters

GL

0

Share this post


Link to post
Share on other sites

because it went through more hops to get there. Each hop reduces the TTL by one. Apparently it is less 4 less hops to get to google than yahoo from your DNS provider.

Edited by MrJinje
0

Share this post


Link to post
Share on other sites

Oh, TTL is different for "normal" packets and for ping? How can I check my "normal" TTL?

@allen2: I still don't understand, see image: nfPaaxO.png

TTL is always 58 (now).

GL

0

Share this post


Link to post
Share on other sites

ping 127.0.0.1 gives 255. OK, that's about settled, then.

Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? :unsure:

GL

0

Share this post


Link to post
Share on other sites

ping 127.0.0.1 gives 255. OK, that's about settled, then.

Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? :unsure:

GL

It is possible, but what you get is not AFAICU the "remaining" from the TTL you attribute to the ping (which is the time to live that you give to "your" ping, i.e. how many hops are allowed to get to the target) but rather what remains from what the target attributes to the "return" packet, i.e. how many hops were encountered from the target (if the target gives to the return packet of 64 - like a number of servers do, this would explain the behaviour nicely). :unsure:

Try running this ;):

for /L %A IN (1,1,20) do @ping -n 1 -i %A 8.8.8.8 | FIND "TTL"

then ping the "intermediate" servers and see what results you get.

Or use this as a batch (pingttl.cmd):

@ECHO OFFSET target=8.8.8.8FOR /L %%? IN (1,1,20) DO (FOR /F "tokens=3 delims=: " %%A IN ('ping -n 1 -i %%? %target% ^| FIND "TTL"') DO ECHO %%? %%A & ping -n 1 %%A | FIND "TTL")

Any intermediate "hop" may provide a pingback or not, and decide to give to the forwarded packet a different TTL.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

@jaclaz:

Output from the first command (redirecting with > file.txt gives only one line, so again a screenshot):

nZmmrZ0.png

Output from the second .bat (redirected):

1 192.168.0.1Reply from 192.168.0.1: bytes=32 time<1ms TTL=642 89.205.44.1Reply from 89.205.44.1: bytes=32 time=158ms TTL=2543 89.205.126.1Reply from 89.205.126.1: bytes=32 time=195ms TTL=2535 91.212.235.10Reply from 91.212.235.10: bytes=32 time=163ms TTL=606 209.85.240.162Reply from 209.85.240.162: bytes=32 time=268ms TTL=557 72.14.234.118 209.85.254.11810 8.8.8.8Reply from 8.8.8.8: bytes=32 time=200ms TTL=4711 8.8.8.8Reply from 8.8.8.8: bytes=32 time=223ms TTL=4712 8.8.8.8Reply from 8.8.8.8: bytes=32 time=185ms TTL=4713 8.8.8.8Reply from 8.8.8.8: bytes=32 time=314ms TTL=4714 8.8.8.8Reply from 8.8.8.8: bytes=32 time=200ms TTL=4715 8.8.8.8Reply from 8.8.8.8: bytes=32 time=223ms TTL=4716 8.8.8.8Reply from 8.8.8.8: bytes=32 time=216ms TTL=4717 8.8.8.8Reply from 8.8.8.8: bytes=32 time=252ms TTL=4718 8.8.8.8Reply from 8.8.8.8: bytes=32 time=202ms TTL=4719 8.8.8.8Reply from 8.8.8.8: bytes=32 time=203ms TTL=4720 8.8.8.8Reply from 8.8.8.8: bytes=32 time=188ms TTL=47

I understand less and less each time :)

GL

0

Share this post


Link to post
Share on other sites

OK, started to understand a little. I pinged each address individually from the first screenshot in the post above (I don't edit because in my experience with the new board software, it will mess up the codebox) and I see that the third hop after my router (exit of my country) reduces TTL to 60. That can be seen also in the second result (codebox) - now that I've seen it, its' easy to understand. :thumbup

It's settled then (apart from any angry letters I may write). :whistle:

[edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.

GL

Edited by GrofLuigi
0

Share this post


Link to post
Share on other sites

[edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.

GL

Well for all you (or I) can know, it is very possible that the PC "attributes" a TTL (time to live) of 64 for packets belonging to the intranet (192.168.0.1 and most probably 255.255.255.0) and a longer 255 one to the ones going "outside".

jaclaz

0

Share this post


Link to post
Share on other sites

OK, it seems there's not much I can do. Thank you all for replying.

GL

0

Share this post


Link to post
Share on other sites

OK, it seems there's not much I can do. Thank you all for replying.

GL

Well, you can try to ping localhost (or 127.0.0.1), which gave you 255 against pinging "self" with the actual PC IP address 192.168.x.y and pinging other devices in your intranet (if it gives 64 the matter is nicely explained, IMHO).

jaclaz

0

Share this post


Link to post
Share on other sites

XzN9mmk.png

I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).

GL

0

Share this post


Link to post
Share on other sites

I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).

GL

Very likely, as said before, what you get is the TTL of the return packet, and it is the router that only sends TTL 64 :unsure:

On my (XP) PC, if I ping "self", I get TTL 128, if I ping my router I get TTL 64, if I ping other PC's I still get TTL 128, but if I ping a (network) Brother printer I have, I get TTL 60 :w00t:, so I believe that is the "target" that sets what you get back.

jaclaz

0

Share this post


Link to post
Share on other sites

It looks like it has something to do with the OS on the router. Here is a collection of info that may or may not be related, but led me to that possible answer.

It is worth to notice that RFC1700 recommends to use 64 as initial TTL value [8]. This is however not followed by most router manufacturers.

//

A router signature is made of a n-tuple of n iTTLs, those iTTLs being retrieved from different ICMP messages.

//

While many different platforms could correspond to the same signature, we know the signature of some well known platforms (to this purpose, we performed a bunch of tests in an emulation lab). For instance, Cisco routers generate signature < 255, 255 > while, for Juniper routers, we have < 255, 64 > with Junos and < 128, 128 > with JunosE. Some Brocade and Alcatel equipment together with some Linux boxes result in a < 64, 64 > signature.

http://conferences.sigcomm.org/imc/2013/papers/imc055-vanaubelA.pdf

A handy OS reference:

http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/

There are a bunch of Linux tutorials on how to configure a router's TTL value, which is this (partial) command: match u8 64

This in google may lead to something more:

"match u8 64" ttl "router"
0

Share this post


Link to post
Share on other sites

Well, I must say, if it doesn't clean up its act, there is a DD-WRT.zip waiting on my HDD with its name on it. :)

GL

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.