I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
I read through RFCs (mostly 6861 and 4413) but not sure. Please let me know if you can give me any clues or suggestions.
Thanks very much,
Vijay
On 2017-07-20 Vijay Sankar wrote:
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that later), I recall reading something about this being OS specific. Some OS's randomize, some start with whatever. I think it can be used to determine what OS is hitting you in some cases. My guess would be older OS's don't randomize. Or I'm completely out to lunch at this late hour...
This might be useful. I had bookmarked it years and years ago because I thought it was neat.
http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
Rob
On 2017-07-20 5:29 AM, Trevor Cordes wrote:
On 2017-07-20 Vijay Sankar wrote:
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that later), I recall reading something about this being OS specific. Some OS's randomize, some start with whatever. I think it can be used to determine what OS is hitting you in some cases. My guess would be older OS's don't randomize. Or I'm completely out to lunch at this late hour... _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
-
Robert Keizer -
Trevor Cordes -
Vijay Sankar