What is the meaning and function of the TTL value returned by the Ping command?
The ping command is used to test the connection to another network device and measure the round trip time of a packet. Enter the following command on the command line to perform a ping operation:
ping [目标地址]- 1.
For example, to get 192.168.11.112, enter:
ping 192.168.11.112- 1.
picture
The data returned at this time has ttl=64. Let’s understand the meaning and function of the ttl value.
TTL function and principle
TTL (Time to Live) refers to the maximum number of hops that a data packet is allowed to transmit in the network. Its function is to prevent data packets from looping infinitely in the network, and it can also be used to measure the transmission time of data packets from source to destination.
The principle of TTL is that every time a data packet passes through a router, the TTL value will be reduced by 1. When the TTL value decreases to 0, the router will discard the data packet and send a "TTL Exceeded" (Time Exceeded) ICMP message to the source address of the data packet. This ensures that packets do not loop endlessly in the network and can also help diagnose network problems.
Through the value of TTL, the number of routers that a data packet passes through from source to destination can be measured to determine the delay and stability of the network. Each time it passes through a router, the TTL value will be reduced by 1. Therefore, through the TTL value returned by the Ping command, we can roughly determine the number of routers or hops between the target host and us. For example, if the TTL value returned by the Ping command is 64, it can be inferred that the data packet passed the initial TTL value during transmission (usually the system default value, such as 64, 128, 255, etc.) - 64 routers or other work Devices on the network.
TTL value speculation target target host operating system
Different operating systems have different settings for the initial TTL value of outgoing IP packets. Usually the initial TTL value of Windows operating system is 128, while the initial TTL value of Linux and Unix systems is 64.
Based on this feature, we can infer the operating system type of the target host by observing the TTL value of the received ICMP echo response (ping) packet. When we send an ICMP echo request to the target host, the target host will return an ICMP echo response, and the TTL value in this response can help us infer the operating system type of the target host.
If the TTL value is 64, we can infer that the target host is running a Unix-like system (such as Linux), and if the TTL value is 128, we can infer that the target host is running a Windows system. Of course, this is just a speculation, as the TTL value may also be modified by the network device, or the target host may have modified the default TTL value. By observing the TTL value of the ICMP echo response packet, we can infer the operating system type of the target host, but it should be noted that this is only a guessing method and may not be very accurate.
operating system | Default TTL value |
Windows | 128 |
Linux/Unix | 64 |
macOS | 64 |
iOS | 64 |
Android | 64 |
To modify the system's default TTL value in Windows, you can do so by modifying the registry:
- Open the Registry Editor: Press the Win + R key combination to open the Run window, enter regedit and press the Enter key.
- Go to the registry path: Expand the following paths in order
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters- 1.
- Create or modify a DWORD value: Right-click under Parameters, select New -> DWORD (32-bit) value, name it DefaultTTL, then double-click it and set the numerical data to the TTL value you want (expressed in decimal).
- Restart the computer: After modifying the registry, you need to restart the computer for the modifications to take effect.