Hey there, let's tackle your ping TTL questions clearly and practically!

First, a quick refresher: TTL (Time to Live) starts as a default value set by the source OS (e.g., Windows uses 128, most Linux/Unix systems use 64) and decreases by 1 every time the ping packet passes through a router.

When comparing TTL values from ping results:

• Identify baseline values: Note the consistent TTLs from your target. For example, in your sample output, some replies have TTL=128 (likely coming from a Windows-based host or a path with no routers between you and it) and others have TTL=64 (probably a Linux/Unix host or a path with more hops).
• Spot inconsistencies: If TTL values jump between different numbers (like 128 and 64 in your example), this usually means the ping packets are taking different routing paths to the target, or the target has multiple nodes with different OS defaults.
• Calculate hop count: Subtract the received TTL from the typical initial TTL (128 for Windows, 64 for Linux) to estimate how many routers the packet passed through. For example, a TTL=127 means 1 hop, TTL=63 means 1 hop from a Linux source.

The method depends on your operating system:

Windows #

Use findstr with a regular expression to match TTL values in the 100-225 range:

ping x.x.x.x | findstr /r "TTL=(1[0-9][0-9]|2[01][0-9]|22[0-5])"

• /r enables regex mode.
• The regex 1[0-9][0-9] matches 100-199, 2[01][0-9] matches 200-219, and 22[0-5] matches 220-225.

In your sample output, this command would only show the lines with TTL=128 and filter out the TTL=64 entries.

Linux/macOS #

Use grep with extended regex (-E) to filter results:

ping x.x.x.x | grep -E "TTL=(1[0-9]{2}|2[01][0-9]|22[0-5])"

• -E allows extended regular expressions for cleaner syntax.
• The regex works the same way as the Windows version, targeting exactly the 100-225 TTL range.

内容的提问来源于stack exchange，提问作者John Smith