20 Jul
2017
20 Jul
'17
10:29 a.m.
On 2017-07-20 Vijay Sankar wrote:
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that later), I recall reading something about this being OS specific. Some OS's randomize, some start with whatever. I think it can be used to determine what OS is hitting you in some cases. My guess would be older OS's don't randomize. Or I'm completely out to lunch at this late hour...