how to find “TTL exceeded” packets

Let’s imagine you are an IP engineer and suddenly found increasing number of “TTL exceeded” packets on your router. Your first thought is “what the hell is it? How to find a source of these packets?”

Take it easy. You will know how to investigate such issue on Huawei router.

[labnario]display ip statistics
  Input:     sum               2783201      local               2321967
             bad protocol            0      bad format                0
             bad checksum            0      bad options               0
             discard srr             0      TTL exceeded         494196
  Output:    forwarding              0      local                886008
             dropped                 0      no route                  0
  Fragment:  input                   0      output                    0
             dropped                 0
             fragmented              0      couldn't fragment         0
  Reassembling:sum                   0      timeouts                  0

As you can see there are “TTL exceeded” packets. “Display ip statistics” command shows packets that are directed to CPU. Don’t mix it up with packets found on the interface. For example, you don’t have dropped packets on the interface but “display ip statistics” shows such packets.

What does it mean “TTL exceeded”?

It means the router receives packets with TTL=1.

What happens if it receives such packets?

It sends timeout-icmp packets.

We can check it using the following command:

[labnario]display icmp statistics
  Input: bad formats            0      bad checksum                     0
         echo                3108      destination unreachable        294
         source quench          0      redirects                        0
         echo reply             0      parameter problem                0
         timestamp              0      information request              0
         mask requests          0      mask replies                     0
         time exceeded          0
         Mping request          0      Mping reply                      0
  Output:echo                   0      destination unreachable          0
         source quench          0      redirects                        0
         echo reply          3108      parameter problem                0
         timestamp              0      information reply                0
         mask requests          0      mask replies                     0
         time exceeded     494196
         Mping request          0      Mping reply                      0

When you compare both outputs you will see that “TTL exceeded = time exceeded“.

And now how to find the source of these packets:

Feb 14 2012 09:08:08.250.1 labnario IP/7/debug_icmp:Slot=3;ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 10.222.143.13, Dst = 172.16.20.88; Original IP header: Pro = 17, Src = 172.16.20.88, Dst = 10.222.143.113, First 8 bytes = B5E400A1 002C9D0D

As you can see debugging ICMP packets is helpful in this case.

Download as PDF

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s