tcpdump mailing list archives
Re: Fw: print ip id
From: Guy Harris <gharris () sonic net>
Date: Sat, 19 Apr 2003 15:10:27 -0700
On Sat, Apr 19, 2003 at 03:27:40PM -0400, George Bakos wrote:
I'm curious as to why we test for nonzero frag offset before printing the ip id, even though vflag is set.
The test is actually for a nonzero frag offset *AND* a non-zero MF bit - it's testing whether the packet is complete or a fragment. That was done as part of revision 1.118: revision 1.118 date: 2002/12/28 17:59:09; author: hannes; state: Exp; lines: +11 -8 - move IP option processing from the trail up to the header - suppress IP id == 0 which changed the test from if ((off & 0x3fff) == 0) to if ((off & 0x3fff) != 0) Before the change, the IP ID was printed as ", id N" for unfragmented packets, and as part of the " (frag N:{len}@{offset}{mf})" stuff for subsequent fragments. After the change, the IP ID is not printed at all for unfragmented packets, and is printed twice for fragments. The change also moves where the TOS, TTL, length, and IP ID are printed - it's now printed before the stuff from the higher-level protocol. I don't know whether that helps more scripts than it breaks, or breaks more scripts than it helps. (It breaks all scripts that expect output for tcpdump 3.7.2 and earlier.)
Many intrusion analysts (self-serving rant here) correlate based on ip id, and it is often an indicator of poorly crafted packets. It's absence is a pain.
It's present in all tcpdump releases going back to 3.4, at least, so I agree that it should be put back. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)