What does the TTL value returned by the Ping command mean and what does it do?

The ping command is used to test the connection to another network device and measure the round trip time of the data packet. You can perform a ping operation by entering the following command in the command line:

 ping [目标地址]

For example, to get 192.168.11.112, you would enter:

 ping 192.168.11.112

picture

The data returned at this time has a ttl=64. Let's understand the meaning and function of the ttl value.

TTL function and principle

TTL (Time to Live) refers to the maximum number of hops a data packet is allowed to transmit in a network. It is used to prevent data packets from circulating infinitely in the network and can also be used to measure the transmission time of data packets from source to destination.

The principle of TTL is that every time a data packet passes through a router, the TTL value will be reduced by 1. When the TTL value is reduced to 0, the router will discard the data packet and send a "TTL timeout" (Time Exceeded) ICMP message to the source address of the data packet. This ensures that the data packet will not circulate infinitely in the network, and can also help diagnose network failures.

Through the TTL value, we can measure the number of routers that a data packet passes through from source to destination, thereby judging the latency and stability of the network. The TTL value decreases by 1 for each router it passes through. Therefore, through the TTL value returned by the Ping command, we can roughly judge the number of routers or hops between the target host and us. For example, if the TTL value returned by the Ping command is 64, it can be inferred that the data packet has passed through the initial TTL value (usually the system default value, such as 64, 128, 255, etc.) - 64 routers or other devices working on the network during the transmission process.

TTL value to estimate the target host operating system

Different operating systems have different settings for the initial TTL value of outgoing IP packets. Usually the initial TTL value of Windows operating system is 128, while the initial TTL value of Linux and Unix systems is 64.

Based on this feature, we can infer the target host's operating system type by observing the TTL value of the received ICMP echo reply (ping) data packet. When we send an ICMP echo request to the target host, the target host will return an ICMP echo reply, and the TTL value in this reply can help us infer the target host's operating system type.

If the TTL value is 64, we can infer that the target host is running a Unix-like system (such as Linux), and if the TTL value is 128, we can infer that the target host is running a Windows system. Of course, this is just a guess, because the TTL value may also be modified by the network device, or the target host may have modified the default TTL value. By observing the TTL value of the ICMP echo reply packet, we can infer the operating system type of the target host, but it should be noted that this is only a guessing method and may not be very accurate.

To modify the default TTL value of Windows, you can do so by modifying the registry:

1. Open the Registry Editor: Press the Win + R key combination to open the Run window, type regedit and press Enter.
2. Go to the registry path: Expand the following paths one by one

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3. To create or modify a DWORD value: Right-click under Parameters, select New -> DWORD (32-bit) Value, name it DefaultTTL, then double-click it and set the Value data to the TTL value you want (in decimal).
4. Restart the computer: After modifying the registry, you need to restart the computer for the modification to take effect.