TTL field???

solvman · #1 (**permalink**) 10-03-2001

Hi all,

I wonder, how I can change Time To Live field for icmp packet in Redhat 7.1, kernel 2.4.2-2? I looked up in /proc/sys/net/ipv4 and did find this field in there.
There should be a way to change TTL. If it's in header file, in which one?

Thank you all

eddies · #2 (**permalink**) 10-10-2001

You mean for use with ping or in common??

Why would you want this anyway??

for ping, use: ping -t 'ttl'

solvman · #3 (**permalink**) 10-10-2001

I'm talking about TTL field for system itself.

Let's say when someone pings my host, he/she sees different TTL field. I've heard that lots of netscan applications uses this field to determine the type of the system. And for security reasons if you change that field for ping replies comming from your host it eliminates this possibility.

Thank you.

Neo · #4 (**permalink**) 10-10-2001

Offhand I can't think of any (none routing) reason to hack the TTL field or any tools that use the TTL field to scan with the exception of traceroute .

If you can post the exact "netscan application" that uses TTL and why it uses it, then we can give a more accurate reply.

It is certainly possible to return bogus values of processes, including TTL. I'm more interested in understanding why you think you need to do this... thanks.

solvman · #5 (**permalink**) 10-10-2001

how can u define a type of system remotely? Conidering closed ports for telnet, ssh, ftp, http, etc. One way to determin the type of the system is to just ping it and and TTL of the returned packet is gonna define system coz it goes basically fixed for different systems. Here what i mean:

#ping foo1.com
64 bytes from 65.30.119.70: icmp_seq=0 ttl=255 time=209 usec
...

#ping foo2.com
64 bytes from 192.168.0.3: icmp_seq=0 ttl=128 time=1.011 msec
...

#ping foo3.com
64 bytes from ns.donnelly.cc.ks.us (208.129.6.92): icmp_seq=1 ttl=243 time=29.964 msec
...

In those three examples i can say that foo1.com runs RedHat Linux 7.1 (ttl=255), foo2.com - Windows(ME)(ttl=128), foo3.com - OpenBSD2.8 (maybe 2.9)(ttl=243).
So, if you hack and change TTL for your system some of the scanning software will be cofnfused. So my question still is in what file this field is defined???

Thank you all

Neo · #6 (**permalink**) 10-10-2001

OK. Now I understand what you are saying. Some systems, for better or for worse, set the TTL differently and this can be exploited to guess the system kernel, as discussed here:

http://www.geocrawler.com/archives/3...0/9/0/4279406/

Because, as the ping manpage says:

Quote:

The maximum possible value of this field is 255, and most Unix systems
set the TTL field of ICMP ECHO_REQUEST packets to 255. This is why you
will find you can ``ping'' some hosts, but not reach them with telnet(1)
or ftp(1).

In normal operation ping prints the ttl value from the packet it re-
ceives. When a remote system receives a ping packet, it can do one of
three things with the TTL field in its response:

o Not change it; this is what Berkeley Unix systems did before the
4.3BSD-Tahoe release. In this case the TTL value in the received
packet will be 255 minus the number of routers in the round-trip
path.

o Set it to 255; this is what current Berkeley Unix systems do. In
this case the TTL value in the received packet will be 255 minus the
number of routers in the path from the remote system to the pinging
host.

o Set it to some other value. Some machines use the same value for
ICMP packets that they use for TCP packets, for example either 30 or
60. Others may use completely wild values.

You want to change the behavior of a host receiving an ICMP_ECHO_REQUEST by altering the TTL set by the host.

Nice idea!!! There is value to this idea, thanks for pointing this out.

In linux, this value is defined in the ip.h header file in the source distribution:

Quote:

ip.h:#define MAXTTL 255

One way to change it is to modify the parameter in the ip.h include file and rebuild the kernel.

However, different systems allow you to configure MAXTTL from the command line or in a configuration file like /etc/rc.d.

BTW. This was an EXCELLENT question. I tested two modern linux kernels (TTL, 255) and one Win98 system (TTL, 64).

solvman · #7 (**permalink**) 10-10-2001

Great thanks to all of you, esp. to Neo.

I got the answer I wanted.

Best regards

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Cut the last field	435 Gavea	Shell Programming and Scripting	9	03-17-2009 01:04 PM
Retrieve 5th Field to Last Field !!	jobbyjoseph	UNIX for Dummies Questions & Answers	3	05-16-2007 03:20 AM
Moving Part of a field to another field using AWK	rjsha1	Shell Programming and Scripting	5	08-04-2006 05:39 AM
add increment field when first field changes	azekry	Shell Programming and Scripting	2	11-14-2005 04:21 PM
awk sub-field?	kristy	UNIX for Dummies Questions & Answers	2	10-05-2001 04:07 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: