[Cerowrt-devel] ping icmp ttl exceeded

Dave Taht dave.taht at gmail.com
Mon Feb 4 02:41:22 EST 2013


Heh. I turned out I'd left mtr running in another window...

On Sun, Feb 3, 2013 at 11:34 PM, Ketan Kulkarni <ketkulka at gmail.com> wrote:

> Sorry to send it again, as the list rejected the attachment
> (attachment removed in this one)
>
> Hi Dave,
>
> The TTL is decremented by 1 on every router. If it reaches 0, the pkt
> is dropped and ICMP ttl exceeded is sent to the sender with icmp body
> = first few bytes of the packet which caused this error.
> Looks like, for every new Echo Req, ip ttl is set to 1. The next
> router decrements it and send ICMP ttl exceeded back.
>
> So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1.
> 172.20.26.1 (probably your next router) decrements and sends ICMP TTL
> exceeded to 172.20.26.17 (probably your client)
>
> For the next request, ttl=2 and this time 172.20.26.17 (next to next
> router) send ttl exceeded.
> This is happening till ttl=6 at which the Echo Req is successful.
>
> Probably this is the behaviour of ping cmd used with -R (record route)
> option enabled.
>
> Attached jpg for reference.
>
> -Ketan
>
> On Mon, Feb 4, 2013 at 1:03 PM, Ketan Kulkarni <ketkulka at gmail.com> wrote:
> > Hi Dave,
> >
> > The TTL is decremented by 1 on every router. If it reaches 0, the pkt
> > is dropped and ICMP ttl exceeded is sent to the sender with icmp body
> > = first few bytes of the packet which caused this error.
> > Looks like, for every new Echo Req, ip ttl is set to 1. The next
> > router decrements it and send ICMP ttl exceeded back.
> >
> > So 172.20.26.17 send Echo Req to 172.20.0.1 with ttl=1.
> > 172.20.26.1 (probably your next router) decrements and sends ICMP TTL
> > exceeded to 172.20.26.17 (probably your client)
> >
> > For the next request, ttl=2 and this time 172.20.26.17 (next to next
> > router) send ttl exceeded.
> > This is happening till ttl=6 at which the Echo Req is successful.
> >
> > Probably this is the behaviour of ping cmd used with -R (record route)
> > option enabled.
> >
> > Attached jpg for reference.
> >
> > -Ketan
> >
> > On Mon, Feb 4, 2013 at 12:40 PM, Dave Taht <dave.taht at gmail.com> wrote:
> >> I have been largely looking at packet captures for tcp streams. today I
> >> noticed that I was oddly getting icmp ttl exceeded messages back on the
> >> network from various devices on the path when I wasn't even pinging...
> >>
> >> I have to admit parsing icmp is not in my skillset. Is there useful
> >> information in the icmp messages in this capture?
> >>
> >> http://snapon.lab.bufferbloat.net/~d/ttl_exceeded.cap
> >>
> >> --
> >> Dave Täht
> >>
> >> Fixing bufferbloat with cerowrt:
> >> http://www.teklibre.com/cerowrt/subscribe.html
> >> _______________________________________________
> >> Cerowrt-devel mailing list
> >> Cerowrt-devel at lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >>
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20130203/b13687d7/attachment-0002.html>


More information about the Cerowrt-devel mailing list