what pattern does ttl usually follows? working with a task where the ttl increments by 1 for every 3 packets. In the other task the ttl does not have any clear pattern.
Info: I am doing traceroute from: 192.168.2.2 to 198.38.88.104
Asked
Active
Viewed 1,160 times
-1
-
Were you doing a traceroute to/from 198.38.88.104 when this capture was taken? What's the other IP in the packet? Which of the IPs is the source? Could you post hex dump (hexadecimal values in the lower pane) of 2-3 such packets? – Donbhupi Mar 05 '15 at 20:48
-
The 198.38.88.104 host is definitely doing a traceroute. There is a lot of detail about [how that works here](http://networkengineering.stackexchange.com/questions/12496/every-packet-has-ttl-1-in-traceroute-program). – Eddie Mar 06 '15 at 02:21
1 Answers
1
Like I mentioned in my comment above, this 3-packet TTL increment is typical of traceroute application. Since you're doing a traceroute from a Windows machine(192.168.2.2), it sends 3 ICMP packets with TTL=1 to the remote IP 198.38.88.104 and then keeps on incrementing by 1 after every 3 packets.
Since your question is about the TTL value in the replies it receives from the devices in the path, please read the following:
There's no global standard TTL value across all vendors but usually it is a multiple of 2. So, the TTL value in a capture on the client will usually follow the pattern: (2^x)-n, where n is the number of hops and x could be any positive integer.
For example, the device that is 3 hops away (see packet #27) has the IP 193.212.176.97 and the TTL it sends is: (2^8)-3, i.e. 253.
Hope that helps!
Donbhupi
- 251
- 2
- 4