Bugtraq mailing list archives

Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)

From: marvin () NSS NU
Date: Tue, 8 May 2001 09:46:59 +0200

On Sun, 06 May 2001, Ofir Arkin wrote:

The first ICMP Echo request sent from the Microsoft NT 4 based machine was
sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID
value of 28672. Simple calculation will show a gap of 256 between the IP ID
field values.


And some simple thinking will show that this is because they send out a
little endian value that is incremented.

Looking at the replies the LINUX based machine produced, we see a gap of 1
between one IP ID to the next.


And OpenBSD is random.
So is Linux if you use my patch (shameless plug) at http://synscan.nss.nu
(for 2.2.16 but should patch against 2.2.18, probably).

Predictable IP.ids are used in ipidscan (mine) and idlescan (someone elses),
both released in Dec 2000. ipidscan has a flag (-e) for using against windows.

Check out posts from antirez in Dec 1998 and posts on this topic in Dec 1999.

Current thread:

Fun with IP Identification Field Values (Identifying Older MS Based OSs) Ofir Arkin (May 07)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) marvin (May 11)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Denis Ducamp (May 11)
  - Re: Fun with IP Identification Field Values (Identifying Older MSBased OSs) Crist Clark (May 15)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Aaron Campbell (May 11)