GrofLuigi Posted October 5, 2013 Posted October 5, 2013 I think the image says it all...Note: I have DefaultTTL=dword:ff in currentcontrolset\services\tcpip\parametersGL
MrJinje Posted October 6, 2013 Posted October 6, 2013 (edited) because it went through more hops to get there. Each hop reduces the TTL by one. Apparently it is less 4 less hops to get to google than yahoo from your DNS provider. Edited October 6, 2013 by MrJinje
GrofLuigi Posted October 6, 2013 Author Posted October 6, 2013 Oh, TTL is different for "normal" packets and for ping? How can I check my "normal" TTL?@allen2: I still don't understand, see image: TTL is always 58 (now).GL
jaclaz Posted October 6, 2013 Posted October 6, 2013 (edited) Oh, TTL is different for "normal" packets and for ping? How can I check my "normal" TTL?Try doing another thing:ping 127.0.0.1or:ping localhostWhat do you get as TTL (64, 128, or what)?Then check this:http://www.corenetworkz.com/2013/08/change-ttl-value-set-ping-packets.htmljaclaz Edited October 6, 2013 by jaclaz
GrofLuigi Posted October 6, 2013 Author Posted October 6, 2013 ping 127.0.0.1 gives 255. OK, that's about settled, then.Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? GL
jaclaz Posted October 6, 2013 Posted October 6, 2013 (edited) ping 127.0.0.1 gives 255. OK, that's about settled, then.Except... In my example above, I have 7 hops to Google. Why TTL isn't 248? Or, does my ISP change the TTL? GLIt is possible, but what you get is not AFAICU the "remaining" from the TTL you attribute to the ping (which is the time to live that you give to "your" ping, i.e. how many hops are allowed to get to the target) but rather what remains from what the target attributes to the "return" packet, i.e. how many hops were encountered from the target (if the target gives to the return packet of 64 - like a number of servers do, this would explain the behaviour nicely). Try running this :for /L %A IN (1,1,20) do @ping -n 1 -i %A 8.8.8.8 | FIND "TTL"then ping the "intermediate" servers and see what results you get.Or use this as a batch (pingttl.cmd):@ECHO OFFSET target=8.8.8.8FOR /L %%? IN (1,1,20) DO (FOR /F "tokens=3 delims=: " %%A IN ('ping -n 1 -i %%? %target% ^| FIND "TTL"') DO ECHO %%? %%A & ping -n 1 %%A | FIND "TTL")Any intermediate "hop" may provide a pingback or not, and decide to give to the forwarded packet a different TTL.jaclaz Edited October 6, 2013 by jaclaz
GrofLuigi Posted October 6, 2013 Author Posted October 6, 2013 @jaclaz:Output from the first command (redirecting with > file.txt gives only one line, so again a screenshot):Output from the second .bat (redirected):1 192.168.0.1Reply from 192.168.0.1: bytes=32 time<1ms TTL=642 89.205.44.1Reply from 89.205.44.1: bytes=32 time=158ms TTL=2543 89.205.126.1Reply from 89.205.126.1: bytes=32 time=195ms TTL=2535 91.212.235.10Reply from 91.212.235.10: bytes=32 time=163ms TTL=606 209.85.240.162Reply from 209.85.240.162: bytes=32 time=268ms TTL=557 72.14.234.118 209.85.254.11810 8.8.8.8Reply from 8.8.8.8: bytes=32 time=200ms TTL=4711 8.8.8.8Reply from 8.8.8.8: bytes=32 time=223ms TTL=4712 8.8.8.8Reply from 8.8.8.8: bytes=32 time=185ms TTL=4713 8.8.8.8Reply from 8.8.8.8: bytes=32 time=314ms TTL=4714 8.8.8.8Reply from 8.8.8.8: bytes=32 time=200ms TTL=4715 8.8.8.8Reply from 8.8.8.8: bytes=32 time=223ms TTL=4716 8.8.8.8Reply from 8.8.8.8: bytes=32 time=216ms TTL=4717 8.8.8.8Reply from 8.8.8.8: bytes=32 time=252ms TTL=4718 8.8.8.8Reply from 8.8.8.8: bytes=32 time=202ms TTL=4719 8.8.8.8Reply from 8.8.8.8: bytes=32 time=203ms TTL=4720 8.8.8.8Reply from 8.8.8.8: bytes=32 time=188ms TTL=47I understand less and less each time GL
GrofLuigi Posted October 6, 2013 Author Posted October 6, 2013 (edited) OK, started to understand a little. I pinged each address individually from the first screenshot in the post above (I don't edit because in my experience with the new board software, it will mess up the codebox) and I see that the third hop after my router (exit of my country) reduces TTL to 60. That can be seen also in the second result (codebox) - now that I've seen it, its' easy to understand. It's settled then (apart from any angry letters I may write). [edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.GL Edited October 6, 2013 by GrofLuigi
jaclaz Posted October 7, 2013 Posted October 7, 2013 [edit] d@mn, ping 192.168.0.1 (router) gives TTL of 64 - that's the part I still don't understand, because the next hop is correct - 254.GLWell for all you (or I) can know, it is very possible that the PC "attributes" a TTL (time to live) of 64 for packets belonging to the intranet (192.168.0.1 and most probably 255.255.255.0) and a longer 255 one to the ones going "outside".jaclaz
GrofLuigi Posted October 7, 2013 Author Posted October 7, 2013 OK, it seems there's not much I can do. Thank you all for replying.GL
jaclaz Posted October 7, 2013 Posted October 7, 2013 OK, it seems there's not much I can do. Thank you all for replying.GLWell, you can try to ping localhost (or 127.0.0.1), which gave you 255 against pinging "self" with the actual PC IP address 192.168.x.y and pinging other devices in your intranet (if it gives 64 the matter is nicely explained, IMHO).jaclaz
GrofLuigi Posted October 7, 2013 Author Posted October 7, 2013 I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).GL
jaclaz Posted October 7, 2013 Posted October 7, 2013 I currently have no other devices in the network (the laptop doesn't have installed NIC drivers).GLVery likely, as said before, what you get is the TTL of the return packet, and it is the router that only sends TTL 64 On my (XP) PC, if I ping "self", I get TTL 128, if I ping my router I get TTL 64, if I ping other PC's I still get TTL 128, but if I ping a (network) Brother printer I have, I get TTL 60 , so I believe that is the "target" that sets what you get back.jaclaz
Tripredacus Posted October 7, 2013 Posted October 7, 2013 It looks like it has something to do with the OS on the router. Here is a collection of info that may or may not be related, but led me to that possible answer.It is worth to notice that RFC1700 recommends to use 64 as initial TTL value [8]. This is however not followed by most router manufacturers.//A router signature is made of a n-tuple of n iTTLs, those iTTLs being retrieved from different ICMP messages.//While many different platforms could correspond to the same signature, we know the signature of some well known platforms (to this purpose, we performed a bunch of tests in an emulation lab). For instance, Cisco routers generate signature < 255, 255 > while, for Juniper routers, we have < 255, 64 > with Junos and < 128, 128 > with JunosE. Some Brocade and Alcatel equipment together with some Linux boxes result in a < 64, 64 > signature.http://conferences.sigcomm.org/imc/2013/papers/imc055-vanaubelA.pdfA handy OS reference:http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/There are a bunch of Linux tutorials on how to configure a router's TTL value, which is this (partial) command: match u8 64This in google may lead to something more:"match u8 64" ttl "router"
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now