Quoting roundtable-request@muug.ca:
Send Roundtable mailing list submissions to roundtable@muug.ca
To subscribe or unsubscribe via the World Wide Web, visit https://muug.ca/mailman/listinfo/roundtable or, via email, send a message with subject or body 'help' to roundtable-request@muug.ca
You can reach the person managing the list at roundtable-owner@muug.ca
When replying, please edit your Subject line so it is more specific than "Re: Contents of Roundtable digest..."
Today's Topics:
- IP ID field (Vijay Sankar)
- Re: IP ID field (Trevor Cordes)
- Re: IP ID field (Robert Keizer)
Message: 1 Date: Thu, 20 Jul 2017 05:17:38 -0500 From: Vijay Sankar vsankar@foretell.ca To: roundtable@muug.ca Subject: [RndTbl] IP ID field Message-ID: 20170720051738.Horde.Njt9ul6yxkwX9F4SgaRrt_f@server3.foretell.ca Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
I read through RFCs (mostly 6861 and 4413) but not sure. Please let me know if you can give me any clues or suggestions.
Thanks very much,
Vijay
Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsankar@foretell.ca
Message: 2 Date: Thu, 20 Jul 2017 05:29:47 -0500 From: Trevor Cordes trevor@tecnopolis.ca To: roundtable@muug.ca Subject: Re: [RndTbl] IP ID field Message-ID: 20170720052947.3d308709@pog.tecnopolis.ca Content-Type: text/plain; charset=US-ASCII
On 2017-07-20 Vijay Sankar wrote:
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that later), I recall reading something about this being OS specific. Some OS's randomize, some start with whatever. I think it can be used to determine what OS is hitting you in some cases. My guess would be older OS's don't randomize. Or I'm completely out to lunch at this late hour...
Message: 3 Date: Thu, 20 Jul 2017 08:10:00 -0500 From: Robert Keizer robert@keizer.ca To: roundtable@muug.ca Subject: Re: [RndTbl] IP ID field Message-ID: 581b99bc-697e-a196-c4ba-00ab38af6a3e@keizer.ca Content-Type: text/plain; charset="utf-8"
This might be useful. I had bookmarked it years and years ago because I thought it was neat.
http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
Rob
On 2017-07-20 5:29 AM, Trevor Cordes wrote:
On 2017-07-20 Vijay Sankar wrote:
I am a bit confused about IP ID and was wondering about the following.
Is it normal to have the same IP ID for the initial SYN packet from different source IP addresses? There is no fragmentation issues in this case since it is only 40 bytes and I see this same IP ID only with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that later), I recall reading something about this being OS specific. Some OS's randomize, some start with whatever. I think it can be used to determine what OS is hitting you in some cases. My guess would be older OS's don't randomize. Or I'm completely out to lunch at this late hour... _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
-
Vijay Sankar