Solved

strange ttl on ping results

Posted on 2004-10-08
16
2,033 Views
Last Modified: 2012-08-13

this confused me:

pinging 127.0.0.1  had a reply in under <1ms , and by TTL=128
pinging something in poland replied in 561ms, and the TTL=41
pinging something in UK replied in 700ms, and the TTL = 238

the pinging of 127.0.0.1 threw me off...

how can a ping to the UK ( im in australia ), have a higher TTL than
pinging 127.0.0.1 ??

and why is there such a big range , ,i.e  TTL=41 .... TTL=238,, doesnt
200 hops seem a bit large..

who sets the initial ping ttl ? me ??

if so why does windows set a TTL=128 when pining myself,, 255 ( i assume ) when
pinging someone else,,,    and how did the server in poland get down to 41 ....

thanks..
0
Comment
Question by:apakian
  • 8
  • 5
  • 2
16 Comments
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12261725
Hi apakian,
every ping (icmp) Paket has an own ttl (time to live) value. When pinging localhost (127.0.0.1) windows set the ttl to 128, when pinging in the own subnet setting it to 64 and all others to 255. Every Time the paket passes a Router the ttl should be reduced about 1. Theoreticly you can see how many hops the paket has done till it reached the target. But unfortunately many hardware vendors handle this in their own way and dont use the standards for ttl. Cause of this the valu you see when pinging is like a random value.
In your case, if you think 200 hops are to much, try to make a tracert to the target and you will see how many hops here are.
The Initial Ping is set by tho OS. (In Windows try: ping -i xxx)
hope i could help you
jochen
0
 

Author Comment

by:apakian
ID: 12261750

yes i almost understand:

do you mean windows , notices you requested a ping to '127.0.0.1' and for this case sets the ttl=128 ?
and for all other requests it sets it to 255 ? in what case does it set it to 64 ?

im confused, because wouldnt it make sence that windows sets the initial ttl=255 ,,
then when you call 127.0.0.1 the responce ttl is still 255 ,, and all others are some lower
value ...

why would 127.0.0.1 be 128 ,, ??



0
 

Author Comment

by:apakian
ID: 12261757

also a ping to telstra.net gives me ttl-57 ,, and telstra.net.au =247 ( both are the same national
carrier,, ( we really only have 1 or 2 in australia ))..

0
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12261981
hi,
yes i mean windows. I think nobody knows why Microsoft has set the the ttl values to 64/128 an 255. They implemented the feature in their own way.
difference between telstra.net and telstra.net.au: every router who foreward the package have to reduce the ttl at least 1, but the routes can reduce the ttl value more than one, depanding on the vendors implementaion and the actual traffic on the wires.
I have pinged both adresses and from Germany I get the same value for ttl (52). Maybe from australia your icmp paktes take different ways.

jochen
0
 
LVL 3

Expert Comment

by:deemehtani
ID: 12262438
This is how it is usually:

Ping within your network including 127.0.0.x, you get TTL 128
Ping to your gateway address you get TTL 64

Ping to websites hosted at different location, it will have different TTL

example ping au.yahoo.com (from US get TTL 49)
ping yahoo.com (from US get TTL 49)
ping in.yahoo.com (from US get TTL 236)

If you want to get better information, use tracert command.


hope this help

--Dee
0
 

Author Comment

by:apakian
ID: 12262621

which rfc says you should said local to 128, gateway to 64 and all else to some other value ?

0
 
LVL 3

Expert Comment

by:deemehtani
ID: 12263420
This is how it is implemented by Microsoft!!!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:apakian
ID: 12263445

could you tell me the site for the logic behind the ttl allocation or possibly
explain,, why loopback has a ttl of 128 etc etc..
0
 
LVL 3

Accepted Solution

by:
deemehtani earned 420 total points
ID: 12263995
This is my guess about the TTL value, if you ping certain address, there is a router entry on how to reach a particular address, either a specific entry or an entry for the next hop, the more specific entry prevails.

Based on the router setup the TTL are set, basically they are the maximum # of hops a packet may take to reach the destination, it is possible to control it by using the -i option.

--Dee
0
 
LVL 3

Expert Comment

by:deemehtani
ID: 12264014
here is a link that talk about TTL in ping

http://www.visualware.com/whitepapers/tutorials/tracert.html
0
 

Author Comment

by:apakian
ID: 12264022

i see,, so what you are saying is that the reason some pings/pongs have large ttl's and some
have small ones, is because some routers decrement the ttl by more than '1' ,, i.e
if the routers path is a slowish/congested link it might decide to decrement ttl by '50' for example,

is this what u mean ?
0
 

Author Comment

by:apakian
ID: 12264035
if you look at these 2 comments:

TTL reply: Ping sends an ICMP echo packet (with the TTL value set to the host default) to the host listed on the ping command line. Ping expects back an ICMP 'echo reply' packet. The millisecond time displayed is the round trip time. The "TTL=245" above says that the incoming ICMP echo reply packet has its TTL field set to 245. Because this value was decremented by one at each hop on the way back, this tells us that visualroute.com is probably setting the initial TTL value to 255.

TTL Expired in Transit: Most computers today initialize the TTL value of outgoing IP Packets 128 or higher. If you ever see a reply above with a "TTL=5" (or some other low TTL number) this tells you that the computer being pinged should most likely have its default TTL value increased. Otherwise, anyone trying to communicate with the computer that is at a hop count higher than the TTL will not be able to communicate with the computer. For example, if you are 40 hops away from www.xyz.com, and www.xyz.com sets TTL fields in IP packets that it sends out to 32, the IP Packets will not reach you. They will 'expire in transmit' before they reach you.

<< it still is saying nothing about a router decrement by more than 1 ,, also the comment
If you ever see a reply above with a "TTL=5" (or some other low TTL number) this tells you that the computer being pinged should most likely have its default TTL value increased , is totally throwing me off: why would the
computer being pinged set the TTL,, surely the pinger sets the TTL and the hosts along the way decrement...
If the destination sets the TTL, then this would potentially cause hazzard on the net, by hosts incrementing
rather than decrementing, and causing loops....

very confused..
0
 
LVL 3

Expert Comment

by:deemehtani
ID: 12264197
Basic Idea: TTL is there because of historic reasons, it used to be a field earlier, with the name itself there is no link, Time to live although, it merely tells, you how many maximum hops the packet can make to reach the destination, as far as ping is concerned you dont get anything out of it, more important field is the time in millisecond.

TTL is used in Tracert, for the purpose of finding the exact hop count to the destination.

TTL is set by the host computer (default for windows is 128), but it may depend upon the router table entries as well since router always have entries telling them the hop count to reach the next hop and/or the destination.

At any hop (usually at a router) the TTL is decremented by one. if you want o experiment do ping as follows

ping www.google.com -i 10
ping www.google.com -i 20
.....
.....

Hope this helps

--Dee
0
 

Author Comment

by:apakian
ID: 12265190


ok now it's clear,, while were on the subject, do you know how to set the ttl under windows 'c',
using raw icmp ( not icmp.dll ),

i can read the ttl from the ipheader on receiving a packet,, but cant seem to figure out
how to set it on transmit...

i could goto raw sockets, but really would prefer not to..
i recall somewhere a setsockoption to set the ttl,
do u know ?
0
 

Author Comment

by:apakian
ID: 12279913
ok,
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now