[RndTbl] IP ID field
Trevor Cordes
trevor at tecnopolis.ca
Thu Jul 20 05:29:47 CDT 2017
On 2017-07-20 Vijay Sankar wrote:
> I am a bit confused about IP ID and was wondering about the following.
>
> Is it normal to have the same IP ID for the initial SYN packet from
> different source IP addresses? There is no fragmentation issues in
> this case since it is only 40 bytes and I see this same IP ID only
> with attempts to establish a session to 161/TCP.
Off the top of my head, and without consulting anything (I can do that
later), I recall reading something about this being OS specific. Some
OS's randomize, some start with whatever. I think it can be used to
determine what OS is hitting you in some cases. My guess would be
older OS's don't randomize. Or I'm completely out to lunch at this late
hour...
More information about the Roundtable
mailing list