Re: Fw: print ip id

[Guy Harris <gharris () sonic net>]

On Sat, Apr 19, 2003 at 03:27:40PM -0400, George Bakos wrote:
> I'm curious as to why we test for nonzero frag offset before printing the
> ip id, even though vflag is set.

The test is actually for a nonzero frag offset *AND* a non-zero MF bit -
it's testing whether the packet is complete or a fragment.

That was done as part of revision 1.118:

        revision 1.118
        date: 2002/12/28 17:59:09;  author: hannes;  state: Exp;  lines: +11 -8
        - move IP option processing from the trail up to the header
        - suppress IP id == 0

which changed the test from

        if ((off & 0x3fff) == 0)

to

        if ((off & 0x3fff) != 0)

Before the change, the IP ID was printed as ", id N" for unfragmented
packets, and as part of the " (frag N:{len}@{offset}{mf})" stuff for
subsequent fragments.

After the change, the IP ID is not printed at all for unfragmented
packets, and is printed twice for fragments.

The change also moves where the TOS, TTL, length, and IP ID are printed
- it's now printed before the stuff from the higher-level protocol.  I
don't know whether that helps more scripts than it breaks, or breaks
more scripts than it helps.  (It breaks all scripts that expect output
for tcpdump 3.7.2 and earlier.)

> Many intrusion analysts (self-serving rant here) correlate based on ip id,
> and it is often an indicator of poorly crafted packets. It's absence is a
> pain.

It's present in all tcpdump releases going back to 3.4, at least, so I
agree that it should be put back.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe