Routes and Hop Distance

For active scans, one host can find the default route and an actual list of all routers between it and a target platform. To do this, it sends one packet after another with a slightly larger TTL (time to live) value. Each time a router receives a packet, it decrements the TTL value and sends it on. If a router receives a packet with a TTL value of one, it sends a message back to the originating server stating that the TTL has expired. The server sends packets to the target host with greater and greater TTL values and collects the IP addresses of the routers sending expiration messages in-between.

Since PVS is entirely passive, it cannot send or elicit packets from the routers or target computers. It can however, record the TTL value of a target machine. The TTL value is an 8-bit field, which means it can contain a value between 0 and 255. Most machines use an initial TTL value of 32, 64, 128, or 255. Since there is a maximum of 16 hops between your host and any other host on the internet, PVS uses an algorithm to map any TTL to the number of hops.

For example, if PVS sniffed a server sending a packet with a TTL of 126, it detects that 128 is two hops away. PVS does not know the IP address of the in-between routers.

Note: Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion prevention, routers, and VPNs that rewrite or reset the TTL value. In these cases, PVS may report inconsistent hop counts.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.