jskfan
asked on
Meaning of TTL in PING Reply
Meaning of TTL in PING Reply
I have pingged 2 devices that have the same number of Hops away.
One shows TTL:124
the other shows TTL:250
I wonder how is the TTL calculated in this case .
Thank you
I have pingged 2 devices that have the same number of Hops away.
One shows TTL:124
the other shows TTL:250
I wonder how is the TTL calculated in this case .
Thank you
Different OS (even different versions of the same OS) send ping requests with different TTL in ping request/reply packets.
Default TTL (Time To Live) Values of Different OS
Ping in the same subnet
Juniper box:
C:\Users\cdjcr>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Windows (local network card):
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
TTL is decremented by 1 for each L3 hop (can be disabled for MPLS).
Default TTL (Time To Live) Values of Different OS
Ping in the same subnet
Juniper box:
C:\Users\cdjcr>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Windows (local network card):
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
TTL is decremented by 1 for each L3 hop (can be disabled for MPLS).
If the value reaches 0 the packet will be dropped... (Part of IP spec).
TTL is defined as the number of hops a packet may take. The value is one octet unsigned. (ie. value between 0 and 255 inclusive).
The value is decremented on each router on the way.
On many systems the initial value is 64, 128 or 255.
This will mean a packet will not traverse more than 63, 127, 254 routers.
So if you receive a TTL = 250 then the origin Most probably set it to 255 and the packet travelled through 5 routers.
If you see 124 this either is (likely) started at 128 and travelled 4 routers, or (unlikely) started at 255 and travelled 151 routers.....
You can easily check this... try a traceroute and then ping all nodes nodes given to a destination.
(See section of RFC on IP, which described TTL): https://www.freesoft.org/CIE/RFC/1812/56.htm
TTL is defined as the number of hops a packet may take. The value is one octet unsigned. (ie. value between 0 and 255 inclusive).
The value is decremented on each router on the way.
On many systems the initial value is 64, 128 or 255.
This will mean a packet will not traverse more than 63, 127, 254 routers.
So if you receive a TTL = 250 then the origin Most probably set it to 255 and the packet travelled through 5 routers.
If you see 124 this either is (likely) started at 128 and travelled 4 routers, or (unlikely) started at 255 and travelled 151 routers.....
You can easily check this... try a traceroute and then ping all nodes nodes given to a destination.
(See section of RFC on IP, which described TTL): https://www.freesoft.org/CIE/RFC/1812/56.htm
Seems odd as you specify they are the same number of hops away but it's worth confirming if you know this for sure or are just guessing?
The TTL can be specified at source within the ping command, but usually has a default value if you haven't specified it. assuming both of the pings you mention were done from the same source (where they?) it should default to the same value.
This would suggest your pings have taken a very different route, as the TTL has been decreased quite a lot on one of the replies.
Try a trace route to see if they are not following the path you expected.
The TTL can be specified at source within the ping command, but usually has a default value if you haven't specified it. assuming both of the pings you mention were done from the same source (where they?) it should default to the same value.
This would suggest your pings have taken a very different route, as the TTL has been decreased quite a lot on one of the replies.
Try a trace route to see if they are not following the path you expected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks @NOCI
I alluded to that and stated an assumption that both pings were from the same source (and therefore have the same ‘default’ TTL)
I alluded to that and stated an assumption that both pings were from the same source (and therefore have the same ‘default’ TTL)
Couple places you can read:
1. Answer in https://www.experts-exchange.com/questions/29124048/Steps-of-how-a-webpage-request-gets-resolved-on-the-internet.html briefly explains the basics of TTL
2. Question in https://www.experts-exchange.com/questions/28569581/DNS-cache-locking-and-dynamic-DNS-record-update.html has some explanation of TTL as well
3. The answer in https://www.experts-exchange.com/questions/28295794/Ping-Why-is-TTL-different-each-time.html
Best reference I could find is the EE thread at https://www.experts-exchange.com/questions/24817136/Explanation-of-TTL-when-doing-a-Ping.html
1. Answer in https://www.experts-exchange.com/questions/29124048/Steps-of-how-a-webpage-request-gets-resolved-on-the-internet.html briefly explains the basics of TTL
2. Question in https://www.experts-exchange.com/questions/28569581/DNS-cache-locking-and-dynamic-DNS-record-update.html has some explanation of TTL as well
3. The answer in https://www.experts-exchange.com/questions/28295794/Ping-Why-is-TTL-different-each-time.html
Best reference I could find is the EE thread at https://www.experts-exchange.com/questions/24817136/Explanation-of-TTL-when-doing-a-Ping.html
@n8iveIT:
1) DNS TTL -- different concept ttl to allow new information to be received.
2) DNS TTL (see 1) it prevent the use of stale information.
3) TTL in IP (ICMP, UDP, TCP) tries to prevent looping packets.
The best reference of TTL in this context most probably is the RFC describing the IP protocol header fields. (where is defined how this field is meant to be used).
In this case: RFC 791 https://tools.ietf.org/html/rfc791 (if you want to assign it a "timevalue" 1 unit can be thought of as 1 second or part thereof. So any device whether is has a clock or not needs to decrement the TTL at least by 1).
1) DNS TTL -- different concept ttl to allow new information to be received.
2) DNS TTL (see 1) it prevent the use of stale information.
3) TTL in IP (ICMP, UDP, TCP) tries to prevent looping packets.
The best reference of TTL in this context most probably is the RFC describing the IP protocol header fields. (where is defined how this field is meant to be used).
In this case: RFC 791 https://tools.ietf.org/html/rfc791 (if you want to assign it a "timevalue" 1 unit can be thought of as 1 second or part thereof. So any device whether is has a clock or not needs to decrement the TTL at least by 1).
Looks like there is some mystery to be solved here.
ICMP request TTL is independent from TTL for ICMP reply. Which means that, if ICMP request reaches destination device, device will sends ICMP reply with it's own default TTL and TTL is decreased from that value. Can be seen from capture below (since devices are part of the same broadcast domain - TTL is not decremented):
ICMP request TTL is independent from TTL for ICMP reply. Which means that, if ICMP request reaches destination device, device will sends ICMP reply with it's own default TTL and TTL is decreased from that value. Can be seen from capture below (since devices are part of the same broadcast domain - TTL is not decremented):
ASKER
Thank you Guys!
Case in point, you can have two hosts connected to the same l3 switch attempt to ping a third host on the same switch. The first and third host are on a common vlan, resulting in a TTL of 255. The second host is on a seperate vlan from host three, resulting in a TTL of 254.