tcpdump mailing list archives
print ip id
From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 16 Apr 2003 18:02:06 -0400
I'm curious as to why we test for nonzero frag offset before printing the
ip id, even though vflag is set.
Many intrusion analysts (self-serving rant here) correlate based on ip id,
and it is often an indicator of poorly crafted packets. It's absence is a
pain.
To avoid printing it unless REALLY desired, how about an additional test
for vflag > 1 :
if ((off & 0x3fff) != 0 || vflag > 1)
(void)printf(", id %u", EXTRACT_16BITS(&ip->ip_id));
--
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)