Diagnose Network by TTL Value
Under the Internet Protocol, TTL is an 8-bit field. In the
IPv4 header, TTL is the 9th octet of 20. In the IPv6 header, it
is the 8th octet of 40. The maximum TTL value is 255, the
maximum value of a single octet. A recommended initial value is
Various causes will lead to packets transmission failure to the destination in a specific time period. For instance, wrong routing table configuration may cause packet endless loop. The solution is to drop the packet after a period of time and then send a message to the sender and let it decide whether to retransmit the packet. When this happens, the packet will be retransmitted at the router which is wrongly configured in the routing table. TTL value will be deducted by 1 upon each retransmission until TTL becomes zero when the packet is dropped by the router, which causes transmission error in the network.
Default TTL value varies depending on the difference of the operating system and transmission protocol. Here I listed the default TTL values in TCP and UDP under common operating systems in table 1:
Table 1: Default TTL Value under Different Operating Systems
When transmission error occurs in the network, we can view the TTL value of packets with Unicorn and determine whether the error is resulted from wrong routing configuration or other possible reasons in combination of the above table. See the figure below:
As we can see from figure 1, TTL is 47. With the list TTL value above, we can determine the packets passed through 255-47=208 routers from the source to the destination machine, and the transmission is normal.
If TTL value of the packets captured is too small, it indicate there may be a transmission error in the network. By checking the TTL value we can find out whether the network is normal or not.
Unicorn Network Analyzer How tos