Dynamically Evaluate TTL Behavior Based on Observed Values

[biandratti]

The current implementation of TTL (Time-to-Live) always uses the Ttl::Distance variant, regardless of the observed TTL value. This approach is inflexible because TTL behavior can vary depending on the context, observed value, and common defaults used by operating systems or network devices.

We need a more dynamic evaluation of TTL to improve accuracy, allowing it to categorize TTL values into appropriate variants such as Ttl::Value, Ttl::Distance, or Ttl::Bad.

Problem Statement
Time-to-Live (TTL) in IP packets helps estimate the number of hops a packet has traveled. However, the current implementation lacks the ability to dynamically determine the most appropriate representation of TTL.

The key issues are:

• Static Representation: TTL is always represented as Ttl::Distance, with the distance being calculated based on a guessed initial TTL. This ignores cases where the TTL value:
• Lack of Flexibility: Other variants like Ttl::Value (raw TTL) and Ttl::Bad (invalid TTL) are not evaluated dynamically, leading to less accurate analysis.

The solution must return the correct Ttl variant based on the following rules:

• Ttl::Distance if the observed TTL matches or aligns with known initial values.
• Ttl::Value if no match is found, preserving the raw TTL value.
• Ttl::Bad if the TTL is clearly invalid (e.g., 0).