ICMP TTL details

Time to live (TTL) or hop limit is a mechanism that limits the lifespan or lifetime of data in a computer or network
Time-to-live (TTL) is a value in an Internet Protocol (IP) packet that tells
a network router whether or not the packet has been in the network too long and should be discarded.


For PING Source machine doesn't really matter,
it's what the destination machine uses as it's TTL when it generates the ICMP echo response


TTL is all about the destination and has nothing to do with the source,
different OS has different TTL (considered as an aspect of the OS fingerprinting):

Windows: 128

Linux/Juniper/Mikrotik: 64

Cisco: 255

Solaris: 255

Those numbers will be reduce after each hope crossing.

Example-1: 2.2.2.2 is a cisco router including four routers/hopes, so TTL show 256-4=251

Pinging B [2.2.2.2] with 32 bytes of data:

Reply from 2.2.2.2: bytes=32 time=18 ms TTL=251
Reply from 2.2.2.2: bytes=32 time=21 ms TTL=251


Example-2: 3.3.3.3 is a Windows Machine including three routers/hopes, so TTL show 128-3=125

Pinging B [3.3.3.3] with 32 bytes of data:

Reply from 3.3.3.3: bytes=32 time=18 ms TTL=125
Reply from 3.3.3.3: bytes=32 time=21 ms TTL=125


Example-3: 2.2.2.2 is a Linux Machine including four routers/hopes, so TTL show 64-4=60

Pinging B [2.2.2.2] with 32 bytes of data:

Reply from 2.2.2.2: bytes=32 time=18 ms TTL=60
Reply from 2.2.2.2: bytes=32 time=21 ms TTL=60


The default Windows 95/98 TTL value is 32 hops.
Some users recommend changing this to 128 if you have difficulty reaching certain sites.


Using the multicast IP protocol,
the TTL value indicates the scope or range in which a packet may be forwarded.

By convention:


0 is restricted to the same host
1 is restricted to the same subnet
32 is restricted to the same site
64 is restricted to the same region
128 is restricted to the same continent
255 is unrestricted