Re: Fw: print ip id

[George Bakos <gbakos () ists dartmouth edu>]

I like the utilitarian feel to it, as well as the more readable code.

Perhaps we should extend ip_frag_values[] to include:

#define IP_RES 0x8000
{ IP_RES,       "RSVD!" } /* The RFC3514 evil bit */

gb

On Tue, 22 Apr 2003 15:59:07 +0200
Hannes Gredler <hannes () juniper net> wrote:

> On Sat, Apr 19, 2003 at 03:10:27PM -0700, Guy Harris wrote:
>
> | > Many intrusion analysts (self-serving rant here) correlate based on ip id,
> | > and it is often an indicator of poorly crafted packets. It's absence is a
> | > pain.
> | 
> | It's present in all tcpdump releases going back to 3.4, at least, so I
> | agree that it should be put back.
>
> i see, would anybody object if we move the entire detailed frag processing under
> the verbose option before we branch out dissecting the IP proto ?
>   [like done in the attached patch ?] the code would get a bit
> more readable then;
>
> the result would look like:
>
> ./tcpdump -nvr tcp-test.tcpdump | cut -b -78 
> 15:42:58.073771 (tos 0x0, ttl 64, id 42397, offset 0, flags [DF], length: 60) 
> 15:42:58.118385 (tos 0x0, ttl 60, id 45200, offset 0, flags [DF], length: 60) 
> 15:42:58.118472 (tos 0x0, ttl 64, id 42398, offset 0, flags [DF], length: 52) 
> 15:42:59.009982 (tos 0x0, ttl 60, id 45212, offset 0, flags [DF], length: 75) 
> 15:42:59.010065 (tos 0x0, ttl 64, id 42399, offset 0, flags [DF], length: 52) 
> 15:42:59.010545 (tos 0x0, ttl 64, id 42400, offset 0, flags [DF], length: 74) 
> 15:42:59.067028 (tos 0x0, ttl 60, id 45213, offset 0, flags [DF], length: 136)
>
>
> /hannes


-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe