Diagnose Network by TTL Value

  • What is the TTL?

Under the Internet Protocol, TTL is an 8-bit field. In the IPv4 header, TTL is the 9th octet of 20. In the IPv6 header, it is the 8th octet of 40. The maximum TTL value is 255, the maximum value of a single octet. A recommended initial value is 64.

The time-to-live value can be thought of as an upper bound on the time that an IP datagram can exist in an Internet system. The TTL field is set by the sender of the datagram, and reduced by every router on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (11 - Time Exceeded) is sent back to the sender. The purpose of the TTL field is to avoid a situation in which an undeliverable datagram keeps circulating on an Internet system, and such a system eventually becoming swamped by such "immortals".

In theory, under IPv4, time to live is measured in seconds, although every host that passes the datagram must reduce the TTL by at least one unit. In practice, the TTL field is reduced by one on every hop. To reflect this practice, the field is renamed hop limit in IPv6.

Various causes will lead to packets transmission failure to the destination in a specific time period. For instance, wrong routing table configuration may cause packet endless loop. The solution is to drop the packet after a period of time and then send a message to the sender and let it decide whether to retransmit the packet. When this happens, the packet will be retransmitted at the router which is wrongly configured in the routing table. TTL value will be deducted by 1 upon each retransmission until TTL becomes zero when the packet is dropped by the router, which causes transmission error in the network.

Default TTL value varies depending on the difference of the operating system and transmission protocol. Here I listed the default TTL values in TCP and UDP under common operating systems in table 1:

Operating system TCP UDP
AIX 60 30
DEC Patchworks V5 30 30
FreeBSD 2.1 64 64
HP/UX 9.0x 30 30
HP/UX 10.01 64 64
Irix 5.3 60 60
Irix 6.x 60 60
UNIX 255 255
Linux 64 64
MacOS/MacTCP 2.0.x 60 60
OS/2 TCP/IP 3.0 64 64
OSF/1 V3.2A 60 30
Solaris 2.x 255 255
SunOS 4.1.3/4.1.4 60 60
Ultrix V4.1/V4.2A 60 30
VMS/Multinet 64 64
VMS/TCPware 60 64
VMS/Wollongong 128 30
VMS/UCX (latest rel.) 128 128
MS Windows 95/98/NT 3.51 32 32
Windows NT 4.0/2000/XP/2003 Server 128 128

Table 1: Default TTL Value under Different Operating Systems

  • View TTL value of packets and analyze transmission error

When transmission error occurs in the network, we can view the TTL value of packets with Unicorn and determine whether the error is resulted from wrong routing configuration or other possible reasons in combination of the above table.  See the figure below:

As we can see from figure 1, TTL is 47. With the list TTL value above, we can determine the packets passed through 255-47=208 routers from the source to the destination machine, and the transmission is normal.

  • Notice:

  1. To determine how many routers a packet passed, you can deduct the TTL value of the packet you captured from the default TTL value of the source device.
  2. If you don't know the default TTL value of the source device, you can use the default TTL value which is lager than and most close to the TTL value of the packet;
  3. The peak TTL value is 255 as TTL field size is 1 byte.
  • Conclusion

If TTL value of the packets captured is too small, it indicate there may be a transmission error in the network. By checking the TTL value we can find out whether the network is normal or not.

Unicorn Network Analyzer How tos