tcpdump mailing list archives
Re: Fw: print ip id
From: George Bakos <gbakos () ists dartmouth edu>
Date: Sun, 20 Apr 2003 15:45:04 -0400
On Sat, 19 Apr 2003 15:10:27 -0700 Guy Harris <gharris () sonic net> wrote:
Before the change, the IP ID was printed as ", id N" for unfragmented
packets, and as part of the " (frag N:{len}@{offset}{mf})" stuff for
subsequent fragments.
After the change, the IP ID is not printed at all for unfragmented
packets, and is printed twice for fragments.
At no point in any (ipv4/6) rfc is the term "fragment id", or anything similar, used when discussing the IP ID field. Thus, (frag N:....) has always been a mislabling. Of course the field was intended to facilitate frag reassembly, but the historical behaviour of moving its appearance depending on ip[6:2] was rather cumbersome to parse. The duplicate appearance, IMHO, is better than the old bouncing, although redundant. It would be more accurate to only include it once, depending on the presence of vflag. This, however, would also serve to break parsing scripts.
The change also moves where the TOS, TTL, length, and IP ID are printed - it's now printed before the stuff from the higher-level protocol. I don't know whether that helps more scripts than it breaks, or breaks more scripts than it helps. (It breaks all scripts that expect output for tcpdump 3.7.2 and earlier.)
Perhaps it may be prudent to provide commandline option similar to a format string, with the default being the old 3.x format. As tcpdump has matured, vflag is becoming restrictive. v4?
Many intrusion analysts (self-serving rant here) correlate based on ip id, and it is often an indicator of poorly crafted packets. It's absence is a pain.It's present in all tcpdump releases going back to 3.4, at least, so I agree that it should be put back.
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)