July 20, 2008 02:10am pdt

1. blu 2,150
2. rjwesley 2,000
2. fredradford 2,000
2. AdriendeC 2,000
2. giltjr 2,000
2. yuy2002 2,000
7. sliiconman 1,500
8. lrmoore 1,000
8. wjester 1,000
8. TechSoEasy 1,000
8. donmanrobb 1,000
8. Netman66 1,000
13. decoleur 375

1. lrmoore 7,000
2. rafael_acc 3,005
3. yasirirfan 2,800
4. Frabble 2,600
5. donjohnston 2,500
5. rsivanandan 2,500
7. sunnycoder 2,200
8. blu 2,150
9. mikebern... 2,075
10. leew 2,000
10. zyclonix 2,000
10. jeffkell 2,000
10. fredradford 2,000
10. yuy2002 2,000
10. Dbergert 2,000
10. batry_boy 2,000
10. infotactix 2,000
10. rjwesley 2,000
10. AdriendeC 2,000
10. giltjr 2,000
10. renill 2,000

12.31.2007 at 01:40PM PST, ID: 23051363

	[x] Attachment Details

TTL on ICMP Time to live exceeded messages

Asked by alexmcferron in Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), TCP/IP

I am playing around with Wireshark by doing tracerts and then looking in wireshark to analyze the ICMP protocol and something is puzzling me.
Why is it that when the routers send my machine ICMP Time-to-live exceeded messages, they all have various different time to live amounts?

I am doing a tracert from my computer to www.pingplotter.com. There are 10 hops from my machine to www.pingplotter.com. at each hop, i get a message back (ICMP Time to live exceeded message) but each router has different settings for TTL on these return messages. Why is that? (255, 63, 253, 252, 250, 249, 249, 248, and 244).

reading about tracert, i see that it works by sending an IP Datagram with a time to live = 1. The first hop sends me back an ICMP Time-to-live exceeded message with time to live of 255.
Then my machine sends an IP Datagram with a time to live = 2. The second hop sends me back an ICMP Time-to-live exceeded message with time to live of 63

my machine sends an IP Datagram with time to live = 3. The third hop sends me back an ICMP Time to live exceeded message with time to live of 253

etc....

at each hop these values are different but consistent from each particular router. Is this a setting or is there some logic behind this value coming from each of the different hops?

255 TTL setting (router that is one hop away),

63 (router that is two hops away,

253 (router that is three hops away,

252 (router that is 4 hops away),

etc...

250, 249, 249, 248, and 244). Start Free Trial

Keywords: TTL on ICMP Time to live exceeded mes…

	Title
1	TTL
2	TTL
3	ICMP
4	Reply from 10.8.1.253: TTL …
5	TTL in IP Packet
6	Question on TTL and round-trip time

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

12.31.2007 at 05:15PM PST, ID: 20558270

giltjr:

Typically the value of ttl starts at either 64 or 255 and then, of course, is reduced by 1 for every router the packet passes through and for every second it is queued within a router.

The exception to starting at 64 or 255 is traceroute (tracert for Windows) which starts at 1 and works its way up.

It appears that the device that is two hops away starts it ttl at 64 and all of the others start at 255.

01.01.2008 at 11:05AM PST, ID: 20561074

alexmcferron:

That makes sense but why doesn't it add up perfectly? If we let n = number of hops away then it seems like we have a pattern where TTL = n-1, but then the pattern breaks down. Is there an explanation for this?

If not, then What you have given me is close enough. Thanks. It just seems like there are still some mysteries because the numbers don't add up perfectly.

ICMP Time to Live exceeded packet from 172.17.21.1 (1 hop away)
TTL = 255 (255-0=255)

ICMP Time to Live exceeded packet from 172.17.23.40 (2 hops away)
TTL = 63 (64-1=63)

ICMP Time to Live exceeded packet from 65.199.113.1 (3 hops away)
TTL=253 (255-2=253)

ICMP Time to Live exceeded packet from 157.130.104.81 ( 4 hops away)
TTL=252 (255-3=252)

BREAKS PATTERN:
ICMP Time to Live exceeded packet from 152.63.64.42 (5 hops away)
TTL = 250 (255-5=250) - this one doesn't follow the pattern of 255 - (n-1) = TTL

BREAKS PATTERN:
ICMP Time to Live exceeded packet from 152.63.65.125 (6 hops away)
TTL = 249 (255-5=250) - this one doesn't follow the pattern of 255 - (n-1) = TTL

ICMP Time to Live exceeded packet from 152.63.68.5 (7 hops away)
TTL = 249 (255-6=249)

ICMP Time to Live exceeded packet from 64.208.110.193 (8 hops away)
TTL = 248 (255-7=248)

BREAKS PATTERN:
ICMP Time to Live exceeded packet from 146.82.33.170 (9 hops away)
TTL = 244 (255-8=247) - this one doesn't follow the pattern of 255 - (n-1) = TTL

01.01.2008 at 11:49AM PST, ID: 20561197

giltjr:

Again, in addition to having one subtracted from the ttl for each hop (router) it goes through there is also one subtracted for every second it is held in a routers buffer waiting to get out. Say it gets to a router and the ttl value is 250 and it sits in that router for 5 seconds, when it leaves that router the value of ttl will be 24, 250 (the starting point) - 1, because it is passing through this router, and - 5 (because it sat in this router for 5 seconds).

The "breaks" in the pattern are breaks, what they show is that somewhere along the path the ICMP packet sat in a router's buffer for at least 1 second.

Accepted Solution

20080716-EE-VQP-32 / EE_QW_2_20070628

TTL on ICMP Time to live exceeded messages

Asked by alexmcferron in Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), TCP/IP

About this solution