0

When I ping the last three hops of a traceroute path to facebook.com from my location, the ICMP echo-reply packets I get back all have a TTL of respectively 58, 57 and 56. The hops in question are the 6th, 7th and 8th hops from my machine.

On the other hand, the TTLs of ICMP time-exceeded messages for packets expiring on those three hops, have all a reasonable value: 246, 248, 249.

Now, the return path might well not be the same as the forward path and it might not be the same for ICMP messages of different types.

But where could such a difference come from? A 200-hop cycle along path? Or ICMP echo-reply packets being generated with a low TTL (much lower than 255: does this even happen?)?

Ricky Robinson
  • 215
  • 1
  • 5
  • 20
  • 1
    I suggest to modify your title to "Why forward ICMP packets have lower TTL than return packets ?" It's more accurate I think – mveroone Sep 10 '13 at 12:31
  • Yeah, good point. Done :) – Ricky Robinson Sep 10 '13 at 12:41
  • Doesn't it make sense that "time-excedded" messages uses the maximum TTL possible ? they are made to tell you your echo-request had a too low TTL after all – mveroone Sep 10 '13 at 12:59
  • Yes, sure. Time-exceeded messages have exactly the TTL I would expect from any other packet coming from their respective source. What I can't explain is why echo-replies have such a low value. – Ricky Robinson Sep 10 '13 at 13:03
  • 1
    Maybe echo-replies use the same TTL as echo-request which have 64 by default on most "ping" implementations (wild guess) – mveroone Sep 10 '13 at 13:27
  • YES! That's the reason. I did some tcpdumping and found out that all my echo-request messages (on linux) leave my host with TTL=64. The hops before the ones I mentioned in my messages all replied with an ICMP echo-reply originally with TTL=255, but now after some random pinging I found out that most hosts actually reply with an echo-reply with TTL=64. Thanks! Problem solved :) – Ricky Robinson Sep 10 '13 at 14:08

1 Answers1

1

As suggested by the user kwaio, the default (or a common) TTL value to use when generating ICMP echo-request and echo-reply packets is 64.

In my case, the first routers along my selected path responded with an echo-reply message with TTL=255 (at the source), while the last ones with TTL=64.

It appears instead that ICMP time-exceeded messages were created in all cases with a TTL of 255.

After some digging, I found out that different vendors and different OS's adopt different initial TTLs for different protocols: binbert.com/blog/2009/12/default-time-to-live-ttl-values

An interesting implication of this is that you can take identify the manifacturer of a given router by letting a packet expire on it and by sending it a ping. More details here: TTL-based Fingerprinting and MPLS and the full article: "Network Fingerprinting: TTL-Based Router Signatures".

Ricky Robinson
  • 215
  • 1
  • 5
  • 20
  • 1
    You may mark the answer as accepted yourself =) (and i would suggest removing your comment to add it in the answer by editing it) – mveroone Sep 11 '13 at 07:40