1 | initial version |
The TTL is an IPv4 field. The hop count field is used in IPv6. The hop count is not tracked by TCP. If Wireshark thinks a packet is a duplicate, it will warn you. The Wireshark field for TTL is ip.ttl. You can try the display filter for ip.ttl==0, but don't be surprise if there aren't any matches. Before a packet is forwarded at layer 3, the TTL or hop count is decremented by 1. If result is zero, then the packet is discarded and the source IP is notified that the time exceeded (IPv4) or hop count exceeded (IPv6).
A routing loop, low initial TTL, or non-optimal route can cause a TTL/hop count to exceed. What could be more helpful looking for a layer 3 loop is a traceroute. You will be looking for the repeat of the same addresses in the traceroute.
2 | No.2 Revision |
The TTL is an IPv4 field. The hop count field is used in IPv6. The hop count is not tracked by TCP. If Wireshark thinks a packet is a duplicate, it will warn you. The Wireshark field for TTL is ip.ttl. You can try the display filter for ip.ttl==0, but don't be surprise if there aren't any matches. Before a packet is forwarded at layer 3, the TTL or hop count is decremented by 1. If result is zero, then the packet is discarded and the source IP is notified that the time exceeded (IPv4) or hop count exceeded (IPv6).(IPv6). Capture the "exceeded" packet, and it will show the source of the message.
A routing loop, low initial TTL, or non-optimal route can cause a TTL/hop count to exceed. What could be more helpful looking for a layer 3 loop is a traceroute. You will be looking for the repeat of the same addresses in the traceroute.