TTL Hop Counter

Estimate the number of network hops a packet has traversed based on its received TTL value. This tool detects the likely starting TTL, identifies the probable remote operating system, and calculates the hop count — all locally in your browser.

Received TTL Value

What Is TTL (Time to Live)?

TTL (Time to Live) is a field in the IP header that limits a packet's lifetime on the network. Every time a packet passes through a router (a "hop"), the TTL value is decremented by 1. When TTL reaches 0, the packet is discarded and an ICMP "Time Exceeded" message is sent back to the sender — this is the mechanism that makes traceroute work.

By examining the received TTL value, you can estimate how many routers a packet passed through to reach you. This is useful for network diagnostics, OS fingerprinting, and understanding your network path. For more detailed path analysis, use our Ping Test or Network Latency Test.

Default TTL Values by Operating System

Different operating systems set different initial TTL values. Knowing these defaults lets you work backward from a received TTL to identify the remote OS and hop count:

Operating System	Default TTL	Protocol
Linux (kernel 2.4+)	64	IPv4 and IPv6
macOS / iOS	64	IPv4 and IPv6
Android	64	IPv4 and IPv6
FreeBSD / OpenBSD	64	IPv4 and IPv6
Windows 10/11	128	IPv4 and IPv6
Windows Server 2016+	128	IPv4 and IPv6
Windows 7/8	128	IPv4
Windows XP	128	IPv4
Cisco IOS	255	IPv4
Juniper JUNOS	255 (64 for transit)	IPv4
Solaris 10+	255	IPv4
HP-UX	255	IPv4
Windows 95/98	32	IPv4

Pro Tip: If you ping a host and get a TTL of 117, the nearest standard starting TTL is 128 (Windows). That means the packet crossed 128 - 117 = 11 hops. If you get TTL 52, the starting TTL was likely 64 (Linux/macOS), meaning 12 hops. This technique is a quick way to fingerprint remote hosts. For checking your own connection, use our What Is My IP tool to see your public address and test latency with the Ping Test.

How TTL Hop Counting Works

The hop counting formula is straightforward:

Hops = Initial TTL - Received TTL

The challenge is determining the initial TTL, since the IP header only shows the current (decremented) value. The algorithm uses this logic:

Received TTL 1-32: Assume start TTL = 32 (legacy systems)
Received TTL 33-64: Assume start TTL = 64 (Linux/Unix/macOS)
Received TTL 65-128: Assume start TTL = 128 (Windows)
Received TTL 129-255: Assume start TTL = 255 (network equipment)

This heuristic is correct for the vast majority of internet traffic. The only ambiguity occurs near the boundaries — for example, a TTL of 63 could be a Linux host 1 hop away, or a very distant Windows host 65 hops away (extremely unlikely). For subnet and IP analysis, see our Subnet Calculator and IP to Binary Converter.

TTL in Traceroute

The traceroute (or tracert on Windows) command exploits TTL to map the network path:

Send a packet with TTL=1. The first router decrements it to 0 and replies with ICMP Time Exceeded, revealing its IP.
Send with TTL=2. The second router replies.
Continue incrementing until the destination responds.

Windows

tracert 8.8.8.8

macOS / Linux

traceroute 8.8.8.8
# UDP-based (default on Linux)

traceroute -I 8.8.8.8
# ICMP-based (like Windows tracert)

Typical internet paths are 8-15 hops. If you see more than 20 hops, your traffic may be taking a suboptimal route. Check if your ISP is throttling or rerouting your connection. For quick latency testing from your browser, use our Network Latency Test.

Practical Uses of TTL Analysis

Understanding TTL values has several practical applications in networking and security:

OS fingerprinting — Security scanners like Nmap use TTL values as one signal to identify remote operating systems without directly querying them.
Network troubleshooting — Unexpectedly low TTL values can indicate routing loops or overly long paths. If a normally 5-hop path suddenly shows 15 hops, investigate.
Load balancer detection — If pings to the same host return alternating TTL values (e.g., 118 and 54), multiple servers with different OSes are behind a load balancer.
CDN identification — Very low hop counts (1-3) to major websites indicate you're hitting a nearby CDN edge server.
Firewall analysis — Some firewalls rewrite TTL values. If incoming TTLs don't match expected patterns, a middlebox may be modifying packets.

For deeper network analysis, combine TTL data with Hex IP conversion and CIDR analysis to identify the networks between you and your destination.

Note: TTL-based OS detection is not foolproof. System administrators can change default TTL values (e.g., sysctl -w net.ipv4.ip_default_ttl=128 on Linux). Some firewalls normalize TTL values to prevent OS fingerprinting. NAT devices may also modify TTL. Always use TTL as one data point among several for network analysis. Verify findings with our Speed Test and Ping Test.

TTL Values in DNS

TTL also appears in DNS records, but with a completely different meaning. In DNS, TTL specifies how long (in seconds) a resolver should cache a record before requesting a fresh copy. This is unrelated to IP packet TTL:

DNS TTL Value	Duration	Use Case
60	1 minute	Failover, load balancing, dynamic IPs
300	5 minutes	Frequently changing records
3600	1 hour	Standard records, good default
86400	24 hours	Stable records, MX records
604800	7 days	Very stable records, TXT verification

For DNS-related investigations, use our DNS Lookup tool to check current record TTLs and values.

Common TTL Scenarios

Here are typical TTL values you might encounter and what they tell you about the network path:

Received TTL	Start TTL	Hops	Interpretation
64	64	0	Localhost or same-machine connection
63	64	1	Linux/Mac on same LAN segment
128	128	0	Windows localhost
126	128	2	Windows host, 2 hops (e.g., through router + switch)
117	128	11	Windows host, typical internet distance
52	64	12	Linux host, typical internet distance
245	255	10	Network device (router/switch), 10 hops
1	64 or 128	63 or 127	Probably a traceroute probe or near-expiry

Key Takeaways

TTL decrements by 1 at each router hop — received TTL reveals the number of routers between you and the source.
Common starting TTLs: 64 (Linux/macOS), 128 (Windows), 255 (network equipment).
Typical internet paths are 8-15 hops. More than 20 suggests suboptimal routing.
TTL-based OS fingerprinting is useful but not foolproof — admins can change default values.
DNS TTL is measured in seconds and controls caching — it's different from IP packet TTL.
Use Ping Test and Network Latency Test alongside hop counting for full path analysis.

Video: TTL and Traceroute Explained

Related Tools and Guides

Frequently Asked Questions

What does TTL stand for in networking?

TTL stands for Time to Live. Despite the name, it doesn't measure time — it counts hops. Each router that forwards a packet decrements the TTL by 1. When TTL reaches 0, the packet is discarded. This prevents packets from circulating endlessly in routing loops.

How do I find the TTL of a packet I received?

The easiest way is to use the ping command. When you ping a host, the reply shows the TTL value. On Windows: ping 8.8.8.8 shows "TTL=117". On Linux/macOS: ping -c 1 8.8.8.8 shows "ttl=117". You can also capture packets with Wireshark to see TTL values in the IP header.

Can TTL values be spoofed or changed?

Yes. Administrators can change the default TTL on their systems (e.g., Linux: sysctl net.ipv4.ip_default_ttl). Some firewalls and middleboxes normalize or rewrite TTL values. This means TTL-based OS detection is a heuristic, not a guarantee. It works reliably for most internet hosts but can be intentionally defeated.

Why would two pings to the same host show different TTL values?

This usually indicates asymmetric routing (different paths for different packets), a load balancer distributing requests across servers with different operating systems, or a network change occurring between pings. It can also happen with anycast addresses where different DNS or CDN servers respond from different locations.

What is the maximum TTL value?

The TTL field in the IPv4 header is 8 bits, so the maximum value is 255. In IPv6, the equivalent field is called "Hop Limit" and also has a maximum of 255. No standard operating system uses a default higher than 255, and most use 64 or 128.

Does TTL affect my internet speed?

TTL itself doesn't affect speed, but the hop count it reveals does correlate with latency. More hops generally mean more latency because each router adds processing delay. A path with 20 hops will typically have higher latency than one with 8 hops. Test your actual latency with our Network Latency Test and compare to your speed test results.

What is the IPv6 equivalent of TTL?

In IPv6, TTL is replaced by the "Hop Limit" field, which functions identically — it decrements by 1 at each router and the packet is discarded when it reaches 0. The name change reflects the fact that this field counts hops, not time. Most IPv6 implementations use the same default values as IPv4 (64 for Linux/macOS, 128 for Windows).

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.