tcpdump mailing list archives
Re: Fw: print ip id
From: Hannes Gredler <hannes () juniper net>
Date: Tue, 22 Apr 2003 15:59:07 +0200
On Sat, Apr 19, 2003 at 03:10:27PM -0700, Guy Harris wrote: | > Many intrusion analysts (self-serving rant here) correlate based on ip id, | > and it is often an indicator of poorly crafted packets. It's absence is a | > pain. | | It's present in all tcpdump releases going back to 3.4, at least, so I | agree that it should be put back. i see, would anybody object if we move the entire detailed frag processing under the verbose option before we branch out dissecting the IP proto ? [like done in the attached patch ?] the code would get a bit more readable then; the result would look like: ./tcpdump -nvr tcp-test.tcpdump | cut -b -78 15:42:58.073771 (tos 0x0, ttl 64, id 42397, offset 0, flags [DF], length: 60) 15:42:58.118385 (tos 0x0, ttl 60, id 45200, offset 0, flags [DF], length: 60) 15:42:58.118472 (tos 0x0, ttl 64, id 42398, offset 0, flags [DF], length: 52) 15:42:59.009982 (tos 0x0, ttl 60, id 45212, offset 0, flags [DF], length: 75) 15:42:59.010065 (tos 0x0, ttl 64, id 42399, offset 0, flags [DF], length: 52) 15:42:59.010545 (tos 0x0, ttl 64, id 42400, offset 0, flags [DF], length: 74) 15:42:59.067028 (tos 0x0, ttl 60, id 45213, offset 0, flags [DF], length: 136) /hannes
Attachment:
fragments_print-ip.c.diff
Description:
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)