Routes and Hop Distance
For active scans, one host can find the default route and an actual list of all routers between it and a target platform. To do this, it sends one packet after another with a slightly larger TTL (time to live) value. Each time a router receives a packet, it decrements the TTL value and sends it on. If a router receives a packet with a TTL value of one, it sends a message back to the originating server stating that the TTL has expired. The server sends packets to the target host with greater and greater TTL values and collects the IP addresses of the routers sending expiration messages in-between.
Since Industrial Security is entirely passive, it cannot send or elicit packets from the routers or target computers. It can however, record the TTL value of a target machine. The TTL value is an 8-bit field, which means it can contain a value between 0 and 255. Most machines use an initial TTL value of 32, 64, 128, or 255. Since there is a maximum of 16 hops between your host and any other host on the internet, Industrial Security uses an algorithm to map any TTL to the number of hops.
For example, if Industrial Security sniffed a server sending a packet with a TTL of 126, it detects that 128 is two hops away. Industrial Security does not know the IP address of the in-between routers.
Note: Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion prevention, routers, and VPNs that rewrite or reset the TTL value. In these cases, Industrial Security may report inconsistent hop counts.