Ping Command to detect target host: Uses TTL value to identify Operating System

I. Introduction to PING

PING Command to check the target IP address to be reached and record the result.

The ping command shows whether the target responds and the time required to receive the reply.

If an error occurs when it is passed to the target, the ping command displays an error message.

Icmp echo (Type 8) and ECHO Reply (Type 0)

We use an icmp echo packet to detect whether HOST address host B is alive (of course, the HOST is not configured as a filter ICMP form)

Send an icmp echo (Type 8) packet to the target host

If the icmp echo Reply (ICMP type 0) packet host a is acceptable, the HOST is alive.

If not, you can preliminarily determine whether the host is not online or some filtering devices have filtered icmp reply.

+ --------------------------------------------------------------- +
|
| + ------- ++ ------- + |
| ICMP Echo Request |
| HOST | --------------------------> | HOST |
|
| A | B |
| <-------------------------- |
| ICMP Echo Reply |
| + ------- ++ ------- + |
|
+ --------------------------------------------------------------- +

This mechanism is the usual ping command used to check whether the target host can be pinged.

Typical examples

C:> ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128

Ping statistics for 192.168.0.1:
Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms

　　2. Pay attention to TTL

TTL: Time to live

Specify the number of CIDR blocks allowed to pass before the datagram is discarded by the router.

TTL is set by the sending host to prevent data packets from continuously repeating over the IP network. When forwarding IP data packets, the router must at least reduce TTL by 1.

ICMP packet types involved in PING

An ICMP Echo Request)

ICMP Echo Reply)

　　3. the TTL field value helps us identify the operating system type.

• The TTL value of the ICMP echo response in UNIX and UNIX operating systems is 255
• Compaq Tru64 5.0 the TTL field value of the ICMP echo response is 64
• The TTL value of the ICMP echo response in Microsoft Windows NT/2 k operating system is 128.
• The TTL field value of the ICMP echo response in Microsoft Windows 95 is 32.

Of course, the returned TTL value is the same

But in some cases

• The TTL field value of LINUX Kernel 2.2.x & 2.4.x ICMP echo response is 64.
• FreeBSD 4.1, 4.0, 3.4;
  Sun Solaris 2.5.1, 2.6, 2.7, 2.8;
  OpenBSD 2.6, 2.7,
  NetBSD
  Hp ux 10.20
  The TTL field value of the ICMP echo response is 255
• Windows 95/98/98SE
  Windows ME
  The TTL field value of the ICMP echo response is 32.
• Windows NT4 WRKS
  Windows NT4 Server
  Windows 2000
  The TTL field value of the ICMP echo response is 128

In this way, we can identify the operating system through this method.

TTL

LINUX 64
WIN2K/NT 128
WINDOWS series 32
UNIX series 255

The tested operating system is as follows:

LINUX Kernel 2.2.x, Kernel 2.4t1-6; FreeBSD 4.1, 4.0, 3.4; OpenBSD 2.7, 2.6; NetBSD
1.4.2; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; HP-UX 10.20, 11.0; AIX 4.1, 3.2; Compaq
Tru64 5.0; Irix 6.5.3, 6.5.8; bsdi bsd/OS 4.0, 3.1; Ultrix 4.2-4.5; OpenVMS 7.1-2;
Windows 95/98/98SE/ME; Windows NT 4 Workstation SP3, SP4, SP6a; Windows NT 4
Server SP4; Windows 2000 Professional, Server, Advanced Server.

Appendix:

The types of ICMP packets include:

ECHO (Request (Type 8), Reply (Type 0) -- ECHO response,

Time Stamp (Request (Type 13), Reply (Type 14) -- timestamp Request and response,

Information (Request (Type 15), Reply (Type16) -- Information Request and response,

Address Mask (Request (Type 17), Reply (Type 18) -- Address Mask requests and responses