Heh. I turned out I'd left mtr running in another window... On Sun, Feb 3, 2013 at 11:34 PM, Ketan Kulkarni wrote: > Sorry to send it again, as the list rejected the attachment > (attachment removed in this one) > > Hi Dave, > > The TTL is decremented by 1 on every router. If it reaches 0, the pkt > is dropped and ICMP ttl exceeded is sent to the sender with icmp body > = first few bytes of the packet which caused this error. > Looks like, for every new Echo Req, ip ttl is set to 1. The next > router decrements it and send ICMP ttl exceeded back. > > So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1. > 172.20.26.1 (probably your next router) decrements and sends ICMP TTL > exceeded to 172.20.26.17 (probably your client) > > For the next request, ttl=2 and this time 172.20.26.17 (next to next > router) send ttl exceeded. > This is happening till ttl=6 at which the Echo Req is successful. > > Probably this is the behaviour of ping cmd used with -R (record route) > option enabled. > > Attached jpg for reference. > > -Ketan > > On Mon, Feb 4, 2013 at 1:03 PM, Ketan Kulkarni wrote: > > Hi Dave, > > > > The TTL is decremented by 1 on every router. If it reaches 0, the pkt > > is dropped and ICMP ttl exceeded is sent to the sender with icmp body > > = first few bytes of the packet which caused this error. > > Looks like, for every new Echo Req, ip ttl is set to 1. The next > > router decrements it and send ICMP ttl exceeded back. > > > > So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1. > > 172.20.26.1 (probably your next router) decrements and sends ICMP TTL > > exceeded to 172.20.26.17 (probably your client) > > > > For the next request, ttl=2 and this time 172.20.26.17 (next to next > > router) send ttl exceeded. > > This is happening till ttl=6 at which the Echo Req is successful. > > > > Probably this is the behaviour of ping cmd used with -R (record route) > > option enabled. > > > > Attached jpg for reference. > > > > -Ketan > > > > On Mon, Feb 4, 2013 at 12:40 PM, Dave Taht wrote: > >> I have been largely looking at packet captures for tcp streams. today I > >> noticed that I was oddly getting icmp ttl exceeded messages back on the > >> network from various devices on the path when I wasn't even pinging... > >> > >> I have to admit parsing icmp is not in my skillset. Is there useful > >> information in the icmp messages in this capture? > >> > >> http://snapon.lab.bufferbloat.net/~d/ttl_exceeded.cap > >> > >> -- > >> Dave Täht > >> > >> Fixing bufferbloat with cerowrt: > >> http://www.teklibre.com/cerowrt/subscribe.html > >> _______________________________________________ > >> Cerowrt-devel mailing list > >> Cerowrt-devel@lists.bufferbloat.net > >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > >> > -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html