[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11746
  • Last Modified:

Ping : Default TTL

Hello Experts,

           My question to you is on the Ping's default TTL. When I ping inside my LAN the default TTL is set to 64 and when I Ping to yahoo , in the reply packet I see  TTL  of 51.

Does it mean that Yahoo is 255-51= 204 hops  away form my machine.?
Please explain me ?

Below is the ping output:

[root@mars Desktop]# ping 192.168.1.76
PING 192.168.1.76 (192.168.1.76) 56(84) bytes of data.
64 bytes from 192.168.1.76: icmp_seq=0 ttl=64 time=0.300 ms
64 bytes from 192.168.1.76: icmp_seq=1 ttl=64 time=0.169 ms

[root@mars Desktop]# ping www.yahoo.com
PING www.yahoo.akadns.net (68.142.197.73) 56(84) bytes of data.
64 bytes from p10.www.mud.yahoo.com (68.142.197.73): icmp_seq=0 ttl=52 time=324 ms
64 bytes from p10.www.mud.yahoo.com (68.142.197.73): icmp_seq=1 ttl=52 time=325 ms


Thanks.

0
expertblr
Asked:
expertblr
  • 6
  • 5
1 Solution
 
grsteedCommented:
Actually it means the Yahoo is 13 hops away (64-13=51)  The TTL value is decremented at each hop.  This could be confirmed by doing a traceroute from your machine. It will list each hop (if they respond correctly to the ICMP message.)
0
 
expertblrAuthor Commented:
just look at the ping to google.com. In this the TTL is 238 (255-17). My question is does the TTL value set depends on the remote machine (for linux the default is 64 and for windows the default is 255...something liks this)?

[root@mars Desktop]# ping www.google.com
PING www.l.google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from 72.14.207.99: icmp_seq=1 ttl=238 time=286 ms
64 bytes from 72.14.207.99: icmp_seq=2 ttl=238 time=272 ms
64 bytes from 72.14.207.99: icmp_seq=3 ttl=238 time=274 ms
64 bytes from 72.14.207.99: icmp_seq=4 ttl=238 time=281 ms

--- www.l.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3025ms
rtt min/avg/max/mdev = 272.860/278.998/286.560/5.563 ms
0
 
grsteedCommented:
The TTL value in the ping response is determined by the remote system.

From a UNIX man page:

TTL DETAILS

The TTL value of an IP packet represents the maximum number of IP routers that the packet can go through before being thrown away. In current practice you can expect each router in the Internet to decrement the TTL field by exactly one.

The TCP/IP specification states that the TTL field for TCP packets should be set to 60, but many systems use smaller values (4.3 BSD uses 30, 4.2 used 15).

The maximum possible value of this field is 255, and most Unix systems set the TTL field of ICMP ECHO_REQUEST packets to 255. This is why you will find you can ``ping'' some hosts, but not reach them with telnet(1) or ftp(1).

In normal operation ping prints the ttl value from the packet it receives. When a remote system receives a ping packet, it can do one of three things with the TTL field in its response:

*
    Not change it; this is what Berkeley Unix systems did before the 4.3BSD Tahoe release. In this case the TTL value in the received packet will be 255 minus the number of routers in the round-trip path.
*
    Set it to 255; this is what current Berkeley Unix systems do. In this case the TTL value in the received packet will be 255 minus the number of routers in the path from the remote system to the pinging host.
*
    Set it to some other value. Some machines use the same value for ICMP packets that they use for TCP packets, for example either 30 or 60. Others may use completely wild values.


Here's a few links to articles describing how you can determine a remote system type based on it's TTL and a few other things.

http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html
http://www.honeynet.org/papers/finger/

Cheers,

Gary
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
grsteedCommented:
Meant to include that on my home network I get these results


      OS                         TTL
Redhat Linux                 64
Windows XP                 128
Windows ME                128
Linksys Router              150

Cheers,

Gary

0
 
expertblrAuthor Commented:
Thanks for the Succor Gary...:)
0
 
expertblrAuthor Commented:


One more qestion Gary:

     Does that mean that I can easily guess the remote end operating system?

0
 
grsteedCommented:
No Problem,  Glad I could help!

Cheers,

Gary
0
 
expertblrAuthor Commented:

Gary,

   Does that mean that I can easily guess the remote end operating system?



       
0
 
grsteedCommented:
I suppose you could make a guess at the OS based on TTL. It seems that most UNIX/Linux systems use 64, and most Windows systems use 128. Beyond that it could be anything as your Google ping shows.  

The Passive Fingerprinting article above would give more accurate info based on other things.

You're not thinking of anything illegal are you?  ;-)

Cheers,

Gary
0
 
expertblrAuthor Commented:
Nothing Illegal...dont't worry..:). Just wanted to make sure that I thought in the right direction..

Ya, I know we can find the OS using some fingerprinting tools.....but I never knew we can guess the OS from TTL.


Thanks for you help!!

0
 
grsteedCommented:
Cool,  glad to help!!!

Cheers,

Gary
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now