[Cerowrt-devel] ping icmp ttl exceeded

Ketan Kulkarni ketkulka at gmail.com
Mon Feb 4 02:34:57 EST 2013


Sorry to send it again, as the list rejected the attachment
(attachment removed in this one)

Hi Dave,

The TTL is decremented by 1 on every router. If it reaches 0, the pkt
is dropped and ICMP ttl exceeded is sent to the sender with icmp body
= first few bytes of the packet which caused this error.
Looks like, for every new Echo Req, ip ttl is set to 1. The next
router decrements it and send ICMP ttl exceeded back.

So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1.
172.20.26.1 (probably your next router) decrements and sends ICMP TTL
exceeded to 172.20.26.17 (probably your client)

For the next request, ttl=2 and this time 172.20.26.17 (next to next
router) send ttl exceeded.
This is happening till ttl=6 at which the Echo Req is successful.

Probably this is the behaviour of ping cmd used with -R (record route)
option enabled.

Attached jpg for reference.

-Ketan

On Mon, Feb 4, 2013 at 1:03 PM, Ketan Kulkarni <ketkulka at gmail.com> wrote:
> Hi Dave,
>
> The TTL is decremented by 1 on every router. If it reaches 0, the pkt
> is dropped and ICMP ttl exceeded is sent to the sender with icmp body
> = first few bytes of the packet which caused this error.
> Looks like, for every new Echo Req, ip ttl is set to 1. The next
> router decrements it and send ICMP ttl exceeded back.
>
> So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1.
> 172.20.26.1 (probably your next router) decrements and sends ICMP TTL
> exceeded to 172.20.26.17 (probably your client)
>
> For the next request, ttl=2 and this time 172.20.26.17 (next to next
> router) send ttl exceeded.
> This is happening till ttl=6 at which the Echo Req is successful.
>
> Probably this is the behaviour of ping cmd used with -R (record route)
> option enabled.
>
> Attached jpg for reference.
>
> -Ketan
>
> On Mon, Feb 4, 2013 at 12:40 PM, Dave Taht <dave.taht at gmail.com> wrote:
>> I have been largely looking at packet captures for tcp streams. today I
>> noticed that I was oddly getting icmp ttl exceeded messages back on the
>> network from various devices on the path when I wasn't even pinging...
>>
>> I have to admit parsing icmp is not in my skillset. Is there useful
>> information in the icmp messages in this capture?
>>
>> http://snapon.lab.bufferbloat.net/~d/ttl_exceeded.cap
>>
>> --
>> Dave Täht
>>
>> Fixing bufferbloat with cerowrt:
>> http://www.teklibre.com/cerowrt/subscribe.html
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>



More information about the Cerowrt-devel mailing list