Meaning of TTL in PING Reply

Meaning of TTL in PING Reply

I have pingged 2 devices that have the same number of Hops away.
One shows TTL:124
the other shows TTL:250

I wonder how is the TTL calculated in this case .

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
jsk - TTL can differ on the same physical path for several reasons.  Most common are un-noted route switch(s) and internal sub processes of end or intermediate hosts.

Case in point, you can have two hosts connected to the same l3 switch attempt to ping a third host on the same switch.  The first and third host are on a common vlan, resulting in a TTL of 255.  The second host is on a seperate vlan from host three, resulting in a TTL of 254.
JustInCaseCommented:
Different OS (even different versions of the same OS) send ping requests with different TTL in ping request/reply packets.

Default TTL (Time To Live) Values of Different OS

Ping in the same subnet

Juniper box:
C:\Users\cdjcr>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Windows (local network card):
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

TTL is decremented by 1 for each L3 hop (can be disabled for MPLS).
nociSoftware EngineerCommented:
If the value reaches 0 the packet will be dropped... (Part of IP spec).
TTL is defined as the number of hops a packet may take. The value is one octet unsigned. (ie. value between 0 and 255  inclusive).
The value is decremented on each router on the way.
On many systems the initial value  is 64, 128 or 255.
This will mean a packet will not traverse more than 63, 127, 254  routers.

So if you receive a TTL = 250  then the origin Most probably set it to 255 and the packet travelled through 5 routers.
If you see 124 this either is (likely) started at 128 and travelled 4 routers, or (unlikely) started at 255 and travelled 151 routers.....

You can easily check this... try a traceroute and then ping all nodes nodes given to a destination.

(See section of RFC on IP, which described TTL):   https://www.freesoft.org/CIE/RFC/1812/56.htm
SolarWinds® Network Configuration Manager (NCM)

SolarWinds Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

SteveCommented:
Seems odd as you specify they are the same number of hops away but it's worth confirming if you know this for sure or are just guessing?
The TTL can be specified at source within the ping command, but usually has a default value if you haven't specified it. assuming both of the pings you mention were done from the same source (where they?) it should default to the same value.

This would suggest your pings have taken a very different route, as the TTL has been decreased quite a lot on one of the replies.
Try a trace route to see if they are not following the path you expected.
nociSoftware EngineerCommented:
@Steve, TTL might be set differently in different systems.  It starts at a certain number (64, 128, 255) depending on manufacturer or system defaults. andcounts down from there.  So one system in a network might report 250 and the other will report 123, same routes, only different OS.   (linux uses a default of 64, it can be adjusted if needed through /proc/sys/net/ipv4/ip_default_ttl ).

You may be able to set a value, the remote system wil set it's default in the return packets.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveCommented:
Thanks @NOCI
I alluded to that and stated an assumption that both pings were from the same source (and therefore have the same ‘default’ TTL)
nociSoftware EngineerCommented:
@n8iveIT:
1) DNS TTL -- different concept  ttl to allow new information to be received.
2) DNS TTL  (see 1) it prevent the use of stale information.
3) TTL in IP (ICMP, UDP, TCP)  tries to prevent looping packets.
The best reference of TTL in this context most probably is the RFC describing the IP protocol header fields. (where is defined how this field is meant to be used).
In this case: RFC 791   https://tools.ietf.org/html/rfc791  (if you want to assign it a "timevalue" 1 unit can be thought of as 1 second or part thereof. So any device whether is has a clock or not needs to decrement the TTL at least by 1).
JustInCaseCommented:
Looks like there is some mystery to be solved here.

 ICMP request TTL is independent from TTL for ICMP reply. Which means that, if ICMP request reaches destination device, device will sends ICMP reply with it's own default TTL and TTL is decreased from that value. Can be seen from capture below (since devices are part of the same broadcast domain - TTL is not decremented):

TTL value of ICMP request and ICMP reply
jskfanAuthor Commented:
Thank you Guys!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.