[RndTbl] IP ID field

Vijay Sankar vsankar at foretell.ca
Thu Jul 20 19:30:04 CDT 2017 

Quoting roundtable-request at muug.ca:

> Send Roundtable mailing list submissions to
> 	roundtable at muug.ca
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://muug.ca/mailman/listinfo/roundtable
> or, via email, send a message with subject or body 'help' to
> 	roundtable-request at muug.ca
>
> You can reach the person managing the list at
> 	roundtable-owner at muug.ca
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Roundtable digest..."
>
>
> Today's Topics:
>
>    1. IP ID field (Vijay Sankar)
>    2. Re: IP ID field (Trevor Cordes)
>    3. Re: IP ID field (Robert Keizer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Jul 2017 05:17:38 -0500
> From: Vijay Sankar <vsankar at foretell.ca>
> To: roundtable at muug.ca
> Subject: [RndTbl] IP ID field
> Message-ID:
> 	<20170720051738.Horde.Njt9ul6yxkwX9F4SgaRrt_f at server3.foretell.ca>
> Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
>
> I am a bit confused about IP ID and was wondering about the following.
>
> Is it normal to have the same IP ID for the initial SYN packet from
> different source IP addresses? There is no fragmentation issues in
> this case since it is only 40 bytes and I see this same IP ID only
> with attempts to establish a session to 161/TCP.
>
> I read through RFCs (mostly 6861 and 4413) but not sure. Please let me
> know if you can give me any clues or suggestions.
>
> Thanks very much,
>
> Vijay
> --
> Vijay Sankar, M.Eng., P.Eng.
> ForeTell Technologies Limited
> vsankar at foretell.ca
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Jul 2017 05:29:47 -0500
> From: Trevor Cordes <trevor at tecnopolis.ca>
> To: roundtable at muug.ca
> Subject: Re: [RndTbl] IP ID field
> Message-ID: <20170720052947.3d308709 at pog.tecnopolis.ca>
> Content-Type: text/plain; charset=US-ASCII
>
> On 2017-07-20 Vijay Sankar wrote:
>> I am a bit confused about IP ID and was wondering about the following.
>>
>> Is it normal to have the same IP ID for the initial SYN packet from
>> different source IP addresses? There is no fragmentation issues in
>> this case since it is only 40 bytes and I see this same IP ID only
>> with attempts to establish a session to 161/TCP.
>
> Off the top of my head, and without consulting anything (I can do that
> later), I recall reading something about this being OS specific.  Some
> OS's randomize, some start with whatever.  I think it can be used to
> determine what OS is hitting you in some cases.  My guess would be
> older OS's don't randomize.  Or I'm completely out to lunch at this late
> hour...
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 20 Jul 2017 08:10:00 -0500
> From: Robert Keizer <robert at keizer.ca>
> To: roundtable at muug.ca
> Subject: Re: [RndTbl] IP ID field
> Message-ID: <581b99bc-697e-a196-c4ba-00ab38af6a3e at keizer.ca>
> Content-Type: text/plain; charset="utf-8"
>
> This might be useful. I had bookmarked it years and years ago because I
> thought it was neat.
>
> http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
>
>
> Rob
>
> On 2017-07-20 5:29 AM, Trevor Cordes wrote:
>> On 2017-07-20 Vijay Sankar wrote:
>>> I am a bit confused about IP ID and was wondering about the following.
>>>
>>> Is it normal to have the same IP ID for the initial SYN packet from
>>> different source IP addresses? There is no fragmentation issues in
>>> this case since it is only 40 bytes and I see this same IP ID only
>>> with attempts to establish a session to 161/TCP.
>> Off the top of my head, and without consulting anything (I can do that
>> later), I recall reading something about this being OS specific.  Some
>> OS's randomize, some start with whatever.  I think it can be used to
>> determine what OS is hitting you in some cases.  My guess would be
>> older OS's don't randomize.  Or I'm completely out to lunch at this late
>> hour...
>> _______________________________________________
>> Roundtable mailing list
>> Roundtable at muug.ca
>> https://muug.ca/mailman/listinfo/roundtable
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 801 bytes
> Desc: OpenPGP digital signature
> URL:  
> <http://muug.ca/pipermail/roundtable/attachments/20170720/20b9bd03/attachment-0001.sig>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
>
> ------------------------------
>
> End of Roundtable Digest, Vol 151, Issue 16
> *******************************************

Thanks very much Trevor and Robert for your thoughts on this, I am  
still researching this and will report back to the list if I find  
anything useful.

Vijay

-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsankar at foretell.ca

More information about the Roundtable mailing list