Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Packet sent repeatedly with decreasing TTL

I am wondering what's going on. On my Windows 8 computer I see many packets sent to the same host (identical ports) with ever decreasing TTL until ICMP TTL exceeded come back. For example below, packet 591 has TTL=84, packet 593 has TTL=83,... and so on Packet 592 has TTL=127, packet 594 TTL=126, ... and so on. All sent from my local ip address. Simillar I see with UDP conversation of OpenVPN connection - many rapidly sent packets with always decreased TTL by one, followed by ICMP ttl-exceeded replies. I couldn't google anything like this to help me understand.

591 2019-04-29 12:27:47,669222 192.168.9.16 208.123.73.199 TCP 54 43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=84 592 2019-04-29 12:27:47,669316 192.168.9.16 208.123.73.199 TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124 TTL=127 593 2019-04-29 12:27:47,669396 192.168.9.16 208.123.73.199 TCP 54 43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=83 594 2019-04-29 12:27:47,669472 192.168.9.16 208.123.73.199 TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124 TTL=126


I can't attach pcap file, so here is other part of unfiltered interface capture: Packet 1 has TTL=128, 2 TTL=127, ..., packet 5 TTL=124, ... and so on, this five packets sent in mere 354 us(!) 1 2019-04-29 12:27:45,917262 192.168.9.16 194.213.207.90 UDP 216 58165 → 34536 Len=174 2 2019-04-29 12:27:45,917386 192.168.9.16 194.213.207.90 UDP 216 58165 → 34536 Len=174 3 2019-04-29 12:27:45,917459 192.168.9.16 194.213.207.90 UDP 216 58165 → 34536 Len=174 4 2019-04-29 12:27:45,917546 192.168.9.16 194.213.207.90 UDP 216 58165 → 34536 Len=174 5 2019-04-29 12:27:45,917616 192.168.9.16 194.213.207.90 UDP 216 58165 → 34536 Len=174

Packet sent repeatedly with decreasing TTL

I am wondering what's going on. On my Windows 8 computer I see many packets sent to the same host (identical ports) with ever decreasing TTL until ICMP TTL exceeded come back. For example below, packet 591 has TTL=84, packet 593 has TTL=83,... and so on Packet 592 has TTL=127, packet 594 TTL=126, ... and so on. All sent from my local ip address. Simillar I see with UDP conversation of OpenVPN connection - many rapidly sent packets with always decreased TTL by one, followed by ICMP ttl-exceeded replies. I couldn't google anything like this to help me understand.

591 2019-04-29 12:27:47,669222  192.168.9.16    208.123.73.199  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=84
592 2019-04-29 12:27:47,669316  192.168.9.16    208.123.73.199  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=127
593 2019-04-29 12:27:47,669396  192.168.9.16    208.123.73.199  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=83
594 2019-04-29 12:27:47,669472  192.168.9.16    208.123.73.199  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=126

TTL=126

I can't attach pcap file, so here is other part of unfiltered interface capture: Packet 1 has TTL=128, 2 TTL=127, ..., packet 5 TTL=124, ... and so on, this five packets sent in mere 354 us(!) us(!)

1   2019-04-29 12:27:45,917262  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
2   2019-04-29 12:27:45,917386  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
3   2019-04-29 12:27:45,917459  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
4   2019-04-29 12:27:45,917546  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
5   2019-04-29 12:27:45,917616  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174

Len=174