On Fri, 2003-12-12 at 11:05, Jeffrey Laramie wrote: > > Yeah, I definitely need a vacation. Next time I post something stupid like > that *smack* me and say "Shut Up Jeff, let me answer this!" Be careful what you wish for... ;-) > The TTL of his packet was about 60 secs lower than what I usually see which > makes Chris's explanation sound likely. How does TTL get calculated? Actually, the TTL (63) is dead on if his server is running on Linux or BSD. Based on the window and packet size, I would guess Linux. Per the RFC, a host is to "suppose" to decrement the TTL by 1 for every hop crossed, as well as every second the packet is queued. So for example a router holding a packet for 5 seconds prior to transmitting should decrement the TTL by 6. In reality, most/all devices just decrement by one for hop and don't look at the time component. IMHO this is useful for us as as a community as it makes it easier to use TTL for passively fingerprinting packets. HTH, C
