Re: Fw: print ip id

[Hannes Gredler <hannes () juniper net>]

On Sat, Apr 19, 2003 at 03:10:27PM -0700, Guy Harris wrote:

| > Many intrusion analysts (self-serving rant here) correlate based on ip id,
| > and it is often an indicator of poorly crafted packets. It's absence is a
| > pain.
| 
| It's present in all tcpdump releases going back to 3.4, at least, so I
| agree that it should be put back.

i see, would anybody object if we move the entire detailed frag processing under
the verbose option before we branch out dissecting the IP proto ?
  [like done in the attached patch ?] the code would get a bit
more readable then;

the result would look like:

./tcpdump -nvr tcp-test.tcpdump | cut -b -78 
15:42:58.073771 (tos 0x0, ttl 64, id 42397, offset 0, flags [DF], length: 60) 
15:42:58.118385 (tos 0x0, ttl 60, id 45200, offset 0, flags [DF], length: 60) 
15:42:58.118472 (tos 0x0, ttl 64, id 42398, offset 0, flags [DF], length: 52) 
15:42:59.009982 (tos 0x0, ttl 60, id 45212, offset 0, flags [DF], length: 75) 
15:42:59.010065 (tos 0x0, ttl 64, id 42399, offset 0, flags [DF], length: 52) 
15:42:59.010545 (tos 0x0, ttl 64, id 42400, offset 0, flags [DF], length: 74) 
15:42:59.067028 (tos 0x0, ttl 60, id 45213, offset 0, flags [DF], length: 136)


/hannes

Attachment: fragments_print-ip.c.diff
Description: