tcpdump mailing list archives
print ip id
From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 16 Apr 2003 18:02:06 -0400
I'm curious as to why we test for nonzero frag offset before printing the ip id, even though vflag is set. Many intrusion analysts (self-serving rant here) correlate based on ip id, and it is often an indicator of poorly crafted packets. It's absence is a pain. To avoid printing it unless REALLY desired, how about an additional test for vflag > 1 : if ((off & 0x3fff) != 0 || vflag > 1) (void)printf(", id %u", EXTRACT_16BITS(&ip->ip_id)); -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)