Nmap Development mailing list archives
Re: Nmap on GPRS and problem II
From: magnus () linuxtag org (Nils Magnus)
Date: Thu, 4 Aug 2005 15:15:18 +0200
Re, On Wed, Aug 03, 2005 at 03:16:58AM +0100, zaka rias wrote:
You ask me to look closer into 'ttl' (it took 14 hours for me to surf bout 'what's ttl exactly ?').
The TTL field in an IP packet is a counter that is initialized to a OS specific value (often 64 oder 255) and decremented each time a packet traverses an layer-3 hop (== router). If the TTL value is 0 the packet gets dicarded. This concept was invented to prevent "loops" in the network where packets circulate forever and ever (easily observed when you have two systems A and B and both have mutually the other system as the default gateway). That should be described in most network TCP/IP primers, see http://en.wikipedia.org/wiki/Time_to_live
have a look at this ethereal log, i cut unnecceseary thing from real log (but you can find the full log in attachment) : ======================================================================= No.Time Source Destination Prto 15 16.136761 192.168.0.2 207.46.18.30 TCP 2227 [...] Time to live: 64
Ok, your OS sends the packets out with an initial 64 in the TTL. That's quite common for slightly older operating systems. Some have switched alredy for 255 and the value can usually be configured in the network settings.
16 17.232115 207.46.18.30 192.168.0.2 TCP http [...] Time to live: 62
This is obviously the returned packet. It has 62 as TTL which looks very much like 64 - 2. So, assuming that the 207.46.18.30 system has also 64 as initial TTL, it is only 2 hobs from your network away. I doubt that you are located that closely to microsoft.com. It is a first indicator that your ISP does something with you packets and rewrites them.
so i look at ethereal log, first packet with TTL 64 and then i got received packet (2nd frame) with TTL 62, so i can say that my isp's using transparent proxy.
Ehm, well, that is not a proof, since you (and I) are comparing packets of two directions (one egress and the second ingress). I'd be interested in the different TTL values FROM a single address send to your machine, as often only selected services are proxied or port-forwarded (most specificly HTML-traffic).
is that what u mean with 'look closely to the TTL values" ?
I more or less meant the same thing you did. You might repeat it with an nmap -n -v -sS -p80,443 scan and compare the results. You may ask the other TTL question in PM. Regards, Nils Magnus Program-Chair LinuxTag 2005 Free Conference Program LinuxTag 2005: Where .com meets .org - magnus () linuxtag org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap on GPRS and problem II zaka rias (Aug 02)
- Re: Nmap on GPRS and problem II Nils Magnus (Aug 04)