Image by Kusal Darshana from Pixabay

Detecting Tethering using TCP TTL, Python, Php, MariaDB on AWS.

You might have come across Telecom companies providing connections with the caveat that the Data Bundle/Pack is NOT to be used for tethering i.e. the data should only be used on the device/handset and you cannot share your data with friends and family by enabling hotspotting on your handset.

And have you ever wondered how on earth would the Telecom Company identify the originated data being tethered? If you had this question pop up in your mind, then keep on reading.

A quick google on this topic would provide you with the possible ways on how to detect tethering. However, I would focus on using TCP Networks packet’s TTL value and how to read and process it with Python.

Analyze TCP packets for TTL

By Michel Bakni — Postel, J. (Septemper 1981) RFC 791, Internet Protocol, DARPA Internet Program Protocol Specification, The Internet Society, p. 11 DOI: 10.17487/RFC0791., CC BY-SA 4.0,

From the InternetProtocol RFC Specification, Time to Live (TTL) is a field which indicates the maximum time the datagram is allowed to remain in the internet system. This field is modified in internet header processing.

  • If this field contains the value zero, then the datagram must be destroyed.
  • The TTL value is to be decreased by at least one everytime it is processed by a network router (layer 3 device), before its forwarded to the next hop.

So when the data is originated from a mobile device, the packets would have a TTL value of 255(for example), however when the data is originated from a tethered device the TTL value would be 255 minus 1 i.e. 254, since the mobile handset would be acting as a layer 3 router.

This difference between the TTL values gives the clue that the data is directly from the device or being tethered.

TTL Values decrement at every hop.

The identification of data being tethered can be useful for other purposes as well.

a) Security

b) Different user experiences for a website

Now the fun part — Building an endpoint to detect tethered traffic.

Let’s simuate and put the theory to the test.

The journey of a TCP Packet and the diminishing TTL values across each hop/router.

The objective is to create an endpoint to display if the client is connected through a tethered connection.

Step 1:- Backend Python script to extract a) SourceIP b) SourcePort c) TTL from the TCP packets on a interface and store the SourceIp, SourcePort and the TTL values in a DB (MariaDB).

The SourceIP, SourcePort combo would be used to identify and coreelate the HTTP packets received at the webserver.

Step 1.5:- Build a lookup table with SourceIP and TTL values when browsing through 4g/5g network of a mobile operator.

Step 2:- Webserver — Php Code to read the SourceIp and SourcePort from the HTTP request and query the DB to read the TTL value.

If TTL value of the current request is less than the TTL value of any previous request then the request is most likely tethered.

PYTHON SCRIPT TO READ TCP Packet and store TTL Values.




How to test it quickly within an AWS Env?

  1. Deploy the Python script into an Linux based EC2 instance.

Note:- you might get tempted to deploy the code into a lambda function, but

a) Lambda Functions do not provide the sourcePort of the incoming request which is the key to correlate the tcp packet

b) I havn’t tried it myself to confirm if the python script would be given privs to read the interface.

2. Follow this link to install a LAMP stack on an ec2 instance.

3. Copy and paste the php code in the www folder.

4. Run the db script in the MariaDb or MysqlDb.

5. You are good to go.

Step 6. Hit your endpoint while being on 3g/4g network of your mobile.

Step 7. Enable mobile hotspot and connect another device.

Step3. Hit the same URL from the other device. You should see it says that you are tethering.


This process is prone to errors and checks should be put in place accordingly. For example:-

a) A new router might be introduced within the client’s network. (For Telecom companies this is less of an issue since they control how the network is layed out and can accordingly update the TTL values).

b) You need to sample data from various ISPs/Telcos to be able to take any actions reliabily.

c) The code is only to simulate how to read and use the TCP packet’s TTL values. It’s in no way to be used for any Production scenarios.

Hope you enjoyed reading and feel free to put through your comments for any suggestions or correctness to this blog. Cheers.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store