Jump to content

TTL expired in transit


Recommended Posts

When I ping I get this.

Pinging with 32 bytes of data:

Reply from TTL expired in transit.

Reply from TTL expired in transit.

Reply from TTL expired in transit.

Reply from TTL expired in transit.

Ping statistics for

Packets: Sent = 4, Received = 4, Lost = 0 (0

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms


The TTL (Time To Live) value determines the maximum amount of time an IP packet may live in the network without reaching its destination. It is effectively a bound on the number of routers an IP packet may pass through before being discarded. This message indicates that the TTL expired in transit.

Increase the TTL value using the -i parameter with the ping command.

Most computers today initialize the TTL value of outgoing IP Packets 128 or higher. If you ever see a reply above with a "TTL=5" (or some other low TTL number) this tells you that the computer being pinged should most likely have its default TTL value increased. Otherwise, anyone trying to communicate with the computer that is at a hop count higher than the TTL will not be able to communicate with the computer.

You could also be experiencing issues at a firewall with ICMP (ping) being blocked/dropped or issues with Network Address Translations (NAT) not working or setup properly.


In this situation the NAT was removed


If you find that ICMP is being blocked then you can use nmap which can use TCP. So instead of using ICMP, which is a layer3 (network), the TCP or layer4 (transport) layer is utilized.

The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP. This behavior can be changed in several ways. The easiest way is, of course, to simply turn off ping sweeps with -P0.

If you want to do a standard ICMP ping sweep use -PI.

If you are trying to get through a firewall, though, ICMP pings will likely be blocked and using packet filtering ICMP pings can even be dropped at the host. To get around this NMAP tries to do a TCP "ping" to see if a host is up. By default it sends an ACK to port 80 and expects to see a RST from that port if the host is up. To do only this scan and not the ICMP ping scan use -PT. To specify a different port than port 80 to scan for specify it immediately afterwards, e.g. -PT32523 will ACK ping port 32523.

Picking a random high-numbered port in this way may work *much* better than the default NMAP behavior of ACK pinging port 80. This is because many packet filter rules are setup to let through all packets to high numbered ports with the ACK bit set, but sites may filter port 80 on every machine other

than their publically accessable webservers.

You can also do both an ICMP ping scan and an ACK scan to a high numbered port with, e.g. -PB32523.

However, if a site has a really, really intelligent firewall that recognizes that your ACK packet isn't part of an ongoing TCP connection it might be smart enough to block it. For that reason, you may get better results with a TCP SYN sweep with -PS. In this case, scanning a

high-numbered port will probably not work, and instead you need to pick a port which is likely to get through a firewall. Port 80 is not a bad pick, but something like ssh (port 22) may be better. 

Link to comment
Share on other sites


  • Create New...