Bugtraq mailing list archives
Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)
From: marvin () NSS NU
Date: Tue, 8 May 2001 09:46:59 +0200
On Sun, 06 May 2001, Ofir Arkin wrote:
The first ICMP Echo request sent from the Microsoft NT 4 based machine was sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID value of 28672. Simple calculation will show a gap of 256 between the IP ID field values.
And some simple thinking will show that this is because they send out a little endian value that is incremented.
Looking at the replies the LINUX based machine produced, we see a gap of 1 between one IP ID to the next.
And OpenBSD is random. So is Linux if you use my patch (shameless plug) at http://synscan.nss.nu (for 2.2.16 but should patch against 2.2.18, probably). Predictable IP.ids are used in ipidscan (mine) and idlescan (someone elses), both released in Dec 2000. ipidscan has a flag (-e) for using against windows. Check out posts from antirez in Dec 1998 and posts on this topic in Dec 1999.
Current thread:
- Fun with IP Identification Field Values (Identifying Older MS Based OSs) Ofir Arkin (May 07)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) marvin (May 11)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Denis Ducamp (May 11)
- Re: Fun with IP Identification Field Values (Identifying Older MSBased OSs) Crist Clark (May 15)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Aaron Campbell (May 11)