Re: web related oddity

[bejtlich () TEXAS NET (Richard Bejtlich)]

Hi Don,

Assuming the initial TTL for the 24 Feb activity was 255:

255 - 20 (hops) = 235

Assuming the initial TTL for the 29 Feb activity was 128:

128 - 20 (hops) = 108

The questions is, why was 255 initially set, then later 128?
As I understand it, initial TTL is set by the source host, 
and should only
be decremented by routers, not "recalculated."  Is this 
everyone's 
understanding as well?

Incidentally, I observed similar activity from the source 
host, although the
TTLs I observed were in the 40's range.  This would lead me 
to believe the initial
TTL may have been 64.

Richard

-----

- What catches my eye is the TTL has changed dramatically 
from Feb 24 to
  Feb 29.  Either the O/S of CCC.CCC.CCC.100 has changed, 
or there is initial
  TTL trickery going on.

> From Feb 24

10:44:06.296402 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1586: 
R 0:0(0) ack 674719802 win 0 (ttl 235, id 20884)
14:02:28.310627 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1218: 
R 0:0(0) ack 674719802 win 0 (ttl 235, id 63165)
14:29:39.975886 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.2298: 
R 0:0(0) ack 674719802 win 0 (ttl 235, id 17232)

> From Feb 29

09:43:42.091875 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1734: 
R 0:0(0) ack 674719802 win 0 (ttl 108, id 57993)

Anyone else seeing this?

Don