Linux TTL values.

**hobbdebub** · August 17th, 2004, 03:40 AM

I have been studying up on OS fingerprinting and I have hit a part where I scratch my head, and need some outside advice. From all of the stuff I have read it says that most *nix based OS's will return a TTL value of 255 in an ICMP echo reply. This is fine but for one thing, I am running slack 9.1 and it returns 64. Which Kernel did they change it back to 64? Or did theynot and I am an idiot. I am just wondering. Thanks for the help.

***chsh*** · August 17th, 2004, 04:33 AM

Genetic unixes may in fact be 255, but to my recollection linux has always been 64. All my slack boxes (dating back to slack 7) here return 64.

**hobbdebub** · August 17th, 2004, 04:39 AM

Thank you very much chsh. I was a bit confused because something I read stated that 2.4.x kernels returned 255. Anyways thanks again for the answer.

***thehorse13*** · August 17th, 2004, 11:29 AM

RedHat 6.2 - 9.0, Fedora and Enterprise Linux all return 64. You must be an idiot.

***SirDice*** · August 17th, 2004, 11:38 AM

FreeBSD also uses a default TTL of 64. This can easily be changed:

Code:

sysctl net.inet.ip.ttl=128

Just beware the TTL on the echo-reply is the one used by the remote host.
If you receive TTLs back of say 126 you're probably pinging a windows host.
AFAIK most windows versions use a default TTL of 128.

Thread: Linux TTL values.

Thread Tools

Display

Linux TTL values.

Posting Permissions