Meaning of TTL in PING Reply

jskfan
jskfan used Ask the Experts™
on
Meaning of TTL in PING Reply

I have pingged 2 devices that have the same number of Hops away.
One shows TTL:124
the other shows TTL:250

I wonder how is the TTL calculated in this case .

Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
atlas_shudderedSr. Network Engineer

Commented:
jsk - TTL can differ on the same physical path for several reasons.  Most common are un-noted route switch(s) and internal sub processes of end or intermediate hosts.

Case in point, you can have two hosts connected to the same l3 switch attempt to ping a third host on the same switch.  The first and third host are on a common vlan, resulting in a TTL of 255.  The second host is on a seperate vlan from host three, resulting in a TTL of 254.
Distinguished Expert 2018

Commented:
Different OS (even different versions of the same OS) send ping requests with different TTL in ping request/reply packets.

Default TTL (Time To Live) Values of Different OS

Ping in the same subnet

Juniper box:
C:\Users\cdjcr>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Windows (local network card):
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

TTL is decremented by 1 for each L3 hop (can be disabled for MPLS).
nociSoftware Engineer
Distinguished Expert 2018

Commented:
If the value reaches 0 the packet will be dropped... (Part of IP spec).
TTL is defined as the number of hops a packet may take. The value is one octet unsigned. (ie. value between 0 and 255  inclusive).
The value is decremented on each router on the way.
On many systems the initial value  is 64, 128 or 255.
This will mean a packet will not traverse more than 63, 127, 254  routers.

So if you receive a TTL = 250  then the origin Most probably set it to 255 and the packet travelled through 5 routers.
If you see 124 this either is (likely) started at 128 and travelled 4 routers, or (unlikely) started at 255 and travelled 151 routers.....

You can easily check this... try a traceroute and then ping all nodes nodes given to a destination.

(See section of RFC on IP, which described TTL):   https://www.freesoft.org/CIE/RFC/1812/56.htm
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

SteveArchitect/Designer

Commented:
Seems odd as you specify they are the same number of hops away but it's worth confirming if you know this for sure or are just guessing?
The TTL can be specified at source within the ping command, but usually has a default value if you haven't specified it. assuming both of the pings you mention were done from the same source (where they?) it should default to the same value.

This would suggest your pings have taken a very different route, as the TTL has been decreased quite a lot on one of the replies.
Try a trace route to see if they are not following the path you expected.
Software Engineer
Distinguished Expert 2018
Commented:
@Steve, TTL might be set differently in different systems.  It starts at a certain number (64, 128, 255) depending on manufacturer or system defaults. andcounts down from there.  So one system in a network might report 250 and the other will report 123, same routes, only different OS.   (linux uses a default of 64, it can be adjusted if needed through /proc/sys/net/ipv4/ip_default_ttl ).

You may be able to set a value, the remote system wil set it's default in the return packets.
SteveArchitect/Designer

Commented:
Thanks @NOCI
I alluded to that and stated an assumption that both pings were from the same source (and therefore have the same ‘default’ TTL)
nociSoftware Engineer
Distinguished Expert 2018

Commented:
@n8iveIT:
1) DNS TTL -- different concept  ttl to allow new information to be received.
2) DNS TTL  (see 1) it prevent the use of stale information.
3) TTL in IP (ICMP, UDP, TCP)  tries to prevent looping packets.
The best reference of TTL in this context most probably is the RFC describing the IP protocol header fields. (where is defined how this field is meant to be used).
In this case: RFC 791   https://tools.ietf.org/html/rfc791  (if you want to assign it a "timevalue" 1 unit can be thought of as 1 second or part thereof. So any device whether is has a clock or not needs to decrement the TTL at least by 1).
Distinguished Expert 2018

Commented:
Looks like there is some mystery to be solved here.

 ICMP request TTL is independent from TTL for ICMP reply. Which means that, if ICMP request reaches destination device, device will sends ICMP reply with it's own default TTL and TTL is decreased from that value. Can be seen from capture below (since devices are part of the same broadcast domain - TTL is not decremented):

TTL value of ICMP request and ICMP reply

Author

Commented:
Thank you Guys!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial