TTL Introduction

TTL (Time To Live) is an important parameter in IP packet header. From TTL value, we can judge the current status of the IP layer.

TTL tells the router whether the packet should be dropped because it stays in the network for too long. TTL is initially designed to define a time scope beyond which the packet will be dropped. As TTL value will be deducted by at least 1 by the router when the packet passes through, TTL often indicates the number of the routers which the packet passed through before it was dropped. When TTL becomes zero, the router will drop the packet and send an ICMP message to the sender of the packet.

Various causes will lead to packets transmission failure to the destination in a specific time period. For instance, wrong routing table configuration may cause packet endless loop. The solution is to drop the packet after a period of time and then send a message to the sender and let it decide whether to retransmit the packet. When this happens, the packet will be retransmitted at the router which is wrongly configured in the routing table. TTL value will be deducted by 1 upon each retransmission until TTL becomes zero when the packet is dropped by the router, which causes transmission error in the network.

Default TTL value varies depending on the difference of the operating system and transmission protocol. Here I listed the default TTL values in TCP and UDP under common operating systems in table 1:

Operating system TCP UDP

AIX

60

30

DEC Patchworks V5

30

30

FreeBSD 2.1

64

64

HP/UX 9.0x

30

30

HP/UX 10.01

64

64

Irix 5.3

60

60

Irix 6.x

60

60

UNIX

255

255

Linux

64

64

MacOS/MacTCP 2.0.x

60

60

OS/2 TCP/IP 3.0

64

64

OSF/1 V3.2A

60

30

Solaris 2.x

255

255

SunOS 4.1.3/4.1.4

60

60

Ultrix V4.1/V4.2A

60

30

VMS/Multinet

64

64

VMS/TCPware

60

64

VMS/Wollongong 1.1.1.1

128

30

VMS/UCX (latest rel.)

128

128

MS Windows 95/98/NT 3.51

32

32

Windows NT 4.0/2000/XP/2003 Server

128

128

Table 1: Default TTL Value under Different Operating Systems

View TTL value of packets and analyze transmission error

When transmission error occurs in the network, we can view the TTL value of packets with a network analyzer and determine whether the error is resulted from wrong routing configuration or other possible reasons in combination of the above table.

Here I use Colasoft Capsa to view TTL of a packet.


Figure 1: View TTL Value in the Packet Tab with Colasoft Capsa

As we can see from figure 1, TTL is 54. With the list TTL value above, we can determine the packets passed through 255-54=201 routers from the source to the destination machine, and the transmission is normal.

Notice:

  1. To determine how many routers a packet passed, you can deduct the TTL value of the packet you captured from the default TTL value of the source device.
  2. If you don't know the default TTL value of the source device, you can use the default TTL value which is lager than and most close to the TTL value of the packet;
  3. The peak TTL value is 255 as TTL field size is 1 byte.

Conclusion

If TTL value of the captured packets is too small, it indicate there may be a transmission error in the network. By checking the TTL value we can find out whether the network is normal or not.