Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to change TTL of Linux

776 views
Skip to first unread message

john

unread,
Nov 8, 2007, 3:32:46 PM11/8/07
to
I am using Linux. Is there any way to change "Time To Live" (TTL) in
Linux network connection (Ethernet connection to an ADSL router)?

D. Stussy

unread,
Nov 8, 2007, 7:23:39 PM11/8/07
to
"john" <jo...@no.spam> wrote in message
news:fgvrph$1356$1...@ulysses.noc.ntua.gr...

> I am using Linux. Is there any way to change "Time To Live" (TTL) in
> Linux network connection (Ethernet connection to an ADSL router)?

Yes: write to /proc/sys/net/ipv4/ip_default_ttl

64 hops isn't enough? - Or too much? Range: 0-255 (0 is pretty
useless).

D. Stussy

unread,
Nov 8, 2007, 7:23:39 PM11/8/07
to
"john" <jo...@no.spam> wrote in message
news:fgvrph$1356$1...@ulysses.noc.ntua.gr...
> I am using Linux. Is there any way to change "Time To Live" (TTL) in
> Linux network connection (Ethernet connection to an ADSL router)?

Yes: write to /proc/sys/net/ipv4/ip_default_ttl

Message has been deleted

Rick Jones

unread,
Nov 8, 2007, 9:04:06 PM11/8/07
to
john <jo...@no.spam> wrote:
> I am using Linux. Is there any way to change "Time To Live" (TTL) in
> Linux network connection (Ethernet connection to an ADSL router)?

The ADSL router - you mean as in one of those home router devices with
the NAT functionality? Someone else has addressed setting what linux
puts in the TTL, but you may need to make sure that the "router" in
doing NAT doesn't also re-write the IP TTL. Not sure that it would,
but it would be something to check.

rick jones
--
The glass is neither half-empty nor half-full. The glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Andy Ruddock

unread,
Nov 9, 2007, 1:36:09 PM11/9/07
to
Rick Jones wrote:
> john <jo...@no.spam> wrote:
>> I am using Linux. Is there any way to change "Time To Live" (TTL) in
>> Linux network connection (Ethernet connection to an ADSL router)?
>
> The ADSL router - you mean as in one of those home router devices with
> the NAT functionality? Someone else has addressed setting what linux
> puts in the TTL, but you may need to make sure that the "router" in
> doing NAT doesn't also re-write the IP TTL. Not sure that it would,
> but it would be something to check.
>
> rick jones

If it were to do that wouldn't it break stuff like traceroute?

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

Rick Jones

unread,
Nov 9, 2007, 4:25:29 PM11/9/07
to
Andy Ruddock <andy.rud...@gmail.com> wrote:
> Rick Jones wrote:
> > john <jo...@no.spam> wrote:
> >> I am using Linux. Is there any way to change "Time To Live" (TTL) in
> >> Linux network connection (Ethernet connection to an ADSL router)?
> >
> > The ADSL router - you mean as in one of those home router devices with
> > the NAT functionality? Someone else has addressed setting what linux
> > puts in the TTL, but you may need to make sure that the "router" in
> > doing NAT doesn't also re-write the IP TTL. Not sure that it would,
> > but it would be something to check.
> >
> > rick jones

> If it were to do that wouldn't it break stuff like traceroute?

Frankly I wouldn't put much of _anything_ past a NAT but then I've
never really liked NATs, only grudgingly accepted them until such time
as my home ISP will start offering v6 :) Your point is valid though.

rick jones

seems that earthlink used to offer a v6 service to folks via a tunnel,
anyone not just earthlink customers, but I didn't learn about it until
recently and I think it's gone away... if it were still around I might
be tempted to flash my wrt54g.

--
denial, anger, bargaining, depression, acceptance, rebirth...
where do you want to be today?

irb...@gmail.com

unread,
Nov 16, 2007, 12:21:13 AM11/16/07
to
Some ISPs look at the TTL (time to live) value to try to detect
routers. A Windows machine will use an initial TTL of 128. The
router will dec this by one, so if the ISP sees a TTL of 127, they
know to check the packet traffic for other evidence of an internal
network. Some ISP want to charge for every computer on the internal
network. Some of us think we are paying for bandwidth and the
internal network is none of the ISP's business.

Andy Ruddock

unread,
Nov 16, 2007, 3:16:31 AM11/16/07
to

I'm not sure this would be a useful method to try and detect the
presence of multiple machines behind a router.
If my ISP was so anal about it then I'd be switching ISPs at this point.

Paul Colquhoun

unread,
Nov 16, 2007, 3:34:16 AM11/16/07
to


Worse trick I heard was to set the TTL to 0 (or 1 or 2, as appropriate)
on packets just before passing them to your modem. Just enough to get
to a PC, but a router/NAT box would drop them before passing them on to
a local network.


--
Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/~paulcol
Asking for technical help in newsgroups? Read this first:
http://catb.org/~esr/faqs/smart-questions.html#intro

Pascal Hambourg

unread,
Nov 16, 2007, 6:05:47 AM11/16/07
to
Hello,

Paul Colquhoun a écrit :


> <irb...@gmail.com> wrote:
> | Some ISPs look at the TTL (time to live) value to try to detect
> | routers. A Windows machine will use an initial TTL of 128. The
> | router will dec this by one, so if the ISP sees a TTL of 127, they
> | know to check the packet traffic for other evidence of an internal
> | network.

A workaround is to have the router normalize the TTL of outgoing
packets. On a Linux-based router, it can be done with the iptables 'TTL'
target (requires kernel 2.6.14 and above or with TTL patch from the
patch-o-matic). If you don't want to break utilities such as traceroute
which rely on TTL values, you can normalize only packets with an
original TTL above a value between 30 (default maximum number of hops in
traceroute) and the minimum initial TTL of the computers behind the router.

iptables -t mangle -A POSTROUTING -o $IF_WAN -m ttl --ttl-gt 36 \
-j TTL --ttl-set 64

> Worse trick I heard was to set the TTL to 0 (or 1 or 2, as appropriate)
> on packets just before passing them to your modem. Just enough to get
> to a PC, but a router/NAT box would drop them before passing them on to
> a local network.

Indeed that's nasty... Again, on a Linux-based router iptables comes in
handy to increase the TTL of incoming packets.

iptables -t mangle -A PREROUTING -i $IF_WAN -j TTL --ttl-inc 1

john

unread,
Nov 16, 2007, 7:57:11 AM11/16/07
to
Pascal Hambourg wrote:
>
> Indeed that's nasty... Again, on a Linux-based router iptables comes in
> handy to increase the TTL of incoming packets.
>
> iptables -t mangle -A PREROUTING -i $IF_WAN -j TTL --ttl-inc 1


My PC is on Linux (CentOS 5.0). I suppose the above will work on my system?

Pascal Hambourg

unread,
Nov 16, 2007, 9:11:07 AM11/16/07
to
john a écrit :

Mangling the TTL of incoming packets is useful only on a router. If your
PC does not act as a router, it won't have any effect (other than
increasing the TTL of course) because the TTL is checked only in the
forwarding path.

Moe Trin

unread,
Nov 16, 2007, 2:46:41 PM11/16/07
to
On Fri, 16 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <473d51e9$1...@proxy.mimer.no>, Andy Ruddock wrote:

>irb...@gmail.com wrote:

>> Some ISPs look at the TTL (time to live) value to try to detect
>> routers. A Windows machine will use an initial TTL of 128. The
>> router will dec this by one, so if the ISP sees a TTL of 127, they
>> know to check the packet traffic for other evidence of an internal
>> network.

Welll.... those ISPs must have a lot of cycles to burn. The TTL value
is an 8 bit value in the IP header (ninth octet). The initial value MAY
differ between TCP and UDP packets - and occasionally ICMP. A passive
fingerprinting tool I often use observes the differences in values in
the IP header to identify various operating systems, and the 262 such
fingerprints list five initial values:

TTL 32 60 64 128 255
number of prints 8 11 159 46 38

but these are all for TCP. Another tool I use notes a number of systems
using a TTL of 30 for UDP (with the same systems using 60 or 64 for
TCP).

RFC0791 (Internet Protocol) did not specify any value for this field.
RFC1122 (Requirements for Internet Hosts - Communication Layers) waves
hands a lot (see section 3.2.1.7) and directs the reader to the
"Assigned Numbers" RFC. RFC1060 (March 1990) recommended a value of 32,
increased in the next edition (RFC1340, July 1992) to 64, where it
remains (the "Assigned Numbers" series of documents have been replaced
by on-line databases - for IP Parameters, this is
http://www.iana.org/assignments/ip-parameters). However, this is a
_recommendation_ rather than a standard. You might also note that
most 'traceroute' type applications default to a maximum 30 hops.

>> Some ISP want to charge for every computer on the internal network.
>> Some of us think we are paying for bandwidth and the internal network
>> is none of the ISP's business.

The number of computers is only important if each one gets a separate
address from the ISP. If they're hiding behind a NAT or masquerading
box, the more important metric is bandwidth.

>I'm not sure this would be a useful method to try and detect the
>presence of multiple machines behind a router.

It's not very useful, and certainly not reliable. There are much
easier ways.

>If my ISP was so anal about it then I'd be switching ISPs at this point.

Most ISPs are more interested in whether you are using a server of most
any kind on your home (cheap) connection. If you are, you should be
paying more - obviously. ;-)

Old guy

0 new messages