TTL
Time to Live
A field with two important meanings: in IP packets, a hop counter that decrements at each router and causes the packet to be discarded at zero — preventing infinite routing loops; in DNS, the number of seconds a resolver may cache a record before it must re-query.
In the IP header, TTL is an 8-bit field (0–255). The sending OS sets an initial value (typically 64 or 128). Every router that forwards the packet decrements TTL by 1. When a router receives a packet with TTL=1, it decrements to 0, drops the packet, and sends an ICMP "Time Exceeded" message back to the source. This prevents mis-routed or looping packets from circulating forever. Without TTL, a routing loop would fill links with infinite traffic. The traceroute tool exploits TTL deliberately to map network paths.
TTL contexts
| Context | What TTL means | Unit | Typical values |
|---|---|---|---|
| IP packet | Max remaining hops before discard | Hops (decremented per router) | 64 (Linux/Mac), 128 (Windows), 255 (routers) |
| DNS record | Cache duration before re-query | Seconds | 300 (5 min), 3600 (1 hr), 86400 (24 hr) |
| CDN/cache | How long cached object is valid | Seconds | Set by Cache-Control max-age header |
| ARP cache | How long MAC-to-IP mapping is cached | Seconds | ~60–1200s depending on OS |
TTL and traceroute
Traceroute sends packets with TTL=1, 2, 3… in sequence. Each router that discards a packet returns an ICMP Time Exceeded message revealing its IP address and the round-trip time to that hop. The output shows the path packets take across the internet and where latency accumulates. A sudden jump in RTT between hops indicates the packet crossed a long-distance link (submarine cable, satellite, intercontinental). Hops showing * * * mean the router either doesn't send ICMP Time Exceeded responses or rate-limits them — they're not necessarily dropped, the final destination may still be reachable.
Frequently Asked Questions
What TTL value does traceroute use?
Traceroute starts with TTL=1, incrementing by 1 each probe. Each router that discards the packet returns an ICMP Time Exceeded with its IP and timing. This maps each hop along the path. The destination responds with ICMP Port Unreachable or Echo Reply, signalling the end of the path.
What DNS TTL should I set for my domain?
3600s (1 hour) for stable records, 300s (5 minutes) before planned changes, 86400s (24 hours) for very stable records. Lower TTL before DNS migrations so caches expire quickly after changes. Raise TTL back after propagation confirms success.
What does TTL tell you in a ping response?
The remaining TTL of the reply packet. Linux/Mac defaults to 64; Windows to 128. TTL=54 in a reply means 64 − 10 hops — Linux server, 10 routers away. TTL=119 means 128 − 9 hops — Windows server. Useful for quick OS fingerprinting and hop count estimation.