Initial TTL values

Blue Bar separator


The following table shows the initial TTL values that are used by a number of operating systems. Why should you care? Well when you are looking at a trace it is sometimes not obvious where the protocol analyzer was in relation to the hosts of interest. By looking at the TTL values recorded by the analyzer and knowing the initial TTL value you can get an idea of the "distance" between the end points and the analyzer. I gleaned the information in this table from looking at traces and when possible system documentation. I have also stolen shamelessly from other sources on the web.

OSVersionProtocolTTLNotes
    
AIX TCP60
AIX UDP302
AIX3.2, 4.1ICMP2553
    
Android3.2.1TCP and ICMP64
Android5.1.1TCP and ICMP64
    
BSDBSD/OS 3.1 and 4.0ICMP2553
    
Cisco 2610(C2600-J1S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2)ICMP/TCP/UDP255
Cisco 2950C2950-I6Q4L2-M, Version 12.1(13)EA1b RELEASE SOFTWARE (fc1)ICMP/TCP/UDP255
    
CompaTru64 v5.0ICMP643
    
DEC PathworksV5TCP and UDP302
    
Dell PowerConnect 3424 switch 1.0.1.13ICMP/TCP/UDP64
    
Extreme Summit400-48tVersion 7.7e.3 (Build 5)TCP and UDP30
Extreme Summit400-48tVersion 7.7e.3 (Build 5)ICMP128
    
Extreme X350-48tExtremeXOS 12.2.1.1 v1221b1ICMP and TCP255
Extreme X350-48tExtremeXOS 12.2.1.1 v1221b1UDP64
    
F5 Big-IP13.x proxy modeIPV42555
F5 Big-IP13.x proxy modeIPV6645
    
FreeBSD2.1RTCP and UDP642
FreeBSD3.4, 4.0ICMP2553
FreeBSD5.0ICMP642
    
HP-UX9.0xTCP and UDP302
HP-UX10.01TCP and UDP642
HP-UX10.20ICMP2553
HP-UX11.00ICMP2553
HP-UX11.00TCP64
    
Irix5.3TCP and UDP602
Irix6.xTCP and UDP602
Irix6.5.3, 6.5.8ICMP2552
    
MPE/IX (HP) ICMP200
    
Linux2.0.x kernelICMP643
Linux2.2.14 kernelICMP2553
Linux2.4 kernelICMP2553
LinuxRed Hat 4.8TCP/UDP/ICMP64
LinuxRed Hat 6.7 Kernel 2.6.32-504.16.2TCP/UDP/ICMP64
LinuxRed Hat 7.2 Kernel 3.10.0-327.10.1TCP/UDP/ICMP64
LinuxUbuntu 10.04 LTSTCP/UDP/ICMP64
LinuxUbuntu 16.04 Kernel 4.4.0-21-genericTCP/UDP/ICMP64
    
MacOS/MacTCP2.0.xTCP and UDP602
MacOS/MacTCPX (10.5.6)ICMP/TCP/UDP64
    
NetBSD ICMP2553
    
Netgear FVG318 ICMP and UDP64
    
OpenBSD2.6 & 2.7ICMP2553
    
OpenVMS7.1-2ICMP2553
    
OS/2TCP/IP 3.0 644
    
OSF/1V3.2ATCP602
OSF/1V3.2AUDP302
    
SeagateNAS OS 4TCP and ICMP64
    
Solaris2.5.1, 2.6, 2.7, 2.8ICMP2553
Solaris2.8TCP64 
    
StratusTCP_OSICMP255
StratusTCP_OS (14.2-)TCP and UDP301
StratusTCP_OS (14.3+)TCP and UDP641
StratusSTCPICMP/TCP/UDP60
    
SunOS4.1.3/4.1.4TCP and UDP602
SunOS5.7ICMP and TCP255
    
TandemGuardianTCP30
    
UltrixV4.1/V4.2ATCP602
UltrixV4.1/V4.2AUDP302
UltrixV4.2 - 4.5ICMP2553
    
VMS/Multinet TCP and UDP642
VMS/TCPware TCP602
VMS/TCPware UDP642
VMS/Wollongong1.1.1.1TCP1282
VMS/Wollongong1.1.1.1UDP302
VMS/UCX TCP and UDP1282
    
Windows2000 proICMP/TCP/UDP128
Windows2000 familyICMP1283
Windows7 Home PremiumICMP/TCP/UDP128
Windows95TCP and UDP322
Windows98ICMP32
Windows98, 98 SEICMP1283
Windows98TCP128
Windowsfor WorkgroupsTCP and UDP322
WindowsMEICMP1283
WindowsNT 3.51TCP and UDP322
WindowsNT 4.0TCP and UDP1282
WindowsNT 4.0 SP5- 324
WindowsNT 4.0 SP6+ 1284
WindowsNT 4 WRKS SP 3, SP 6aICMP1283
WindowsNT 4 Server SP4ICMP1283
WindowsServer 2003ICMP/TCP/UDP1284
WindowsServer 2008 R2 EnterpriseICMP/TCP/UDP1284
WindowsXPICMP/TCP/UDP128
Windows10 HomeICMP/TCP/UDP128

Notes

1The external variables tcpos_tcp_ttl$ and tcpos_udp_ttl$ can be used to change TCP_OS defaults. I am also not exactly sure when the change from 30 to 64 took place.
2Stolen from secfr.nerim.net/docs/fingerprint/en/ttl_default.html which no longer seems to be available
3I read this but no longer have the reference
4Stolen from www.pmg.com/tip_archive/03_12.htm which no longer seems to be available
5From https://support.f5.com/csp/article/K10711911. The article also points out that you can configure the F5 device to decrement the incoming TTL value, leave it unchanged or set it to a specific value based on the value of the ip-ttl-v[4|6] variable.

Blue Bar separator
This page was last modified on 19-01-06
mailbox Send comments and suggestions
to noah@noahdavids.org