Diagnose Network by TTL Value
TTL Introduction
TTL (Time To Live) is an important parameter in IP packet header. From TTL value, we can judge the current status of the IP layer.
TTL tells the router whether the packet should be dropped because it stays in the network for too long. TTL is initially designed to define a time scope beyond which the packet will be dropped. As TTL value will be deducted by at least 1 by the router when the packet passes through, TTL often indicates the number of the routers which the packet passed through before it was dropped. When TTL becomes zero, the router will drop the packet and send an ICMP message to the sender of the packet.
Various causes will lead to packets transmission failure to the destination in a specific time period. For instance, wrong routing table configuration may cause packet endless loop. The solution is to drop the packet after a period of time and then send a message to the sender and let it decide whether to retransmit the packet. When this happens, the packet will be retransmitted at the router which is wrongly configured in the routing table. TTL value will be deducted by 1 upon each retransmission until TTL becomes zero when the packet is dropped by the router, which causes transmission error in the network.
Default TTL value varies depending on the difference of the operating system and transmission protocol. Here I listed the default TTL values in TCP and UDP under common operating systems in table 1:
Operating system | TCP | UDP |
AIX |
60 |
30 |
DEC Patchworks V5 |
30 |
30 |
FreeBSD 2.1 |
64 |
64 |
HP/UX 9.0x |
30 |
30 |
HP/UX 10.01 |
64 |
64 |
Irix 5.3 |
60 |
60 |
Irix 6.x |
60 |
60 |
UNIX |
255 |
255 |
Linux |
64 |
64 |
MacOS/MacTCP 2.0.x |
60 |
60 |
OS/2 TCP/IP 3.0 |
64 |
64 |
OSF/1 V3.2A |
60 |
30 |
Solaris 2.x |
255 |
255 |
SunOS 4.1.3/4.1.4 |
60 |
60 |
Ultrix V4.1/V4.2A |
60 |
30 |
VMS/Multinet |
64 |
64 |
VMS/TCPware |
60 |
64 |
VMS/Wollongong 1.1.1.1 |
128 |
30 |
VMS/UCX (latest rel.) |
128 |
128 |
MS Windows 95/98/NT 3.51 |
32 |
32 |
Windows NT 4.0/2000/XP/2003 Server |
128 |
128 |
Table 1: Default TTL Value under Different Operating Systems
View TTL value of packets and analyze transmission error
When transmission error occurs in the network, we can view the TTL value of packets with a network analyzer and determine whether the error is resulted from wrong routing configuration or other possible reasons in combination of the above table.
Here I use Colasoft Capsa to view TTL of a packet.
Figure 1: View TTL Value in the Packet Tab with Colasoft Capsa
As we can see from figure 1, TTL is 54. With the list TTL value above, we can determine the packets passed through 255-54=201 routers from the source to the destination machine, and the transmission is normal.
Notice:
- To determine how many routers a packet passed, you can deduct the TTL value of the packet you captured from the default TTL value of the source device.
- If you don't know the default TTL value of the source device, you can use the default TTL value which is lager than and most close to the TTL value of the packet;
- The peak TTL value is 255 as TTL field size is 1 byte.
Conclusion
If TTL value of the captured packets is too small, it indicate there may be a transmission error in the network. By checking the TTL value we can find out whether the network is normal or not.