Hi, I am using a DS-Pro sniffer and am looking at the identification field and trying to figure out if there is any way to set a filter to display any packets that say skip a few numbers thereby indicating lost packets. The reason I am trying to do this is because I am looking at multiple traces which are huge and looking through the entire for this information is extremely tedious. Appreciate the help.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Identification Field in IP header and Filter
- Thread starter hack12
- Start date
Hi,
first a small part of RFC791 (Internet Protocol):
__________________________________________________
The internet fragmentation and reassembly procedure needs to be able to break a datagram into an almost arbitrary number of pieces that can be later reassembled. The receiver of the fragments uses the identification field to ensure that fragments of different datagrams are not mixed. The fragment offset field tells the receiver the
position of a fragment in the original datagram. The fragment offset and length determine the portion of the original datagram covered by this fragment. The more-fragments flag indicates (by being reset) the last fragment. These fields provide sufficient
information to reassemble datagrams.
The identification field is used to distinguish the fragments of one datagram from those of another. The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the
time the datagram will be active in the internet system. The originating protocol module of a complete datagram sets the more-fragments flag to zero and the fragment offset to zero.
_________________________________________________________
So, the ID field is a more or less random number that is used by IP to reasamble fragments. It is very difficult and dangerous to use this to look for missing frames.
I don't know wich transport layer protocols you are using, but in case of TCP, i would use the Sequense numbering to figure out if any pakcets are lost (and retransmitted).
If you have a sniffer pro, the expert will tell you (somethimes, not always) wich packets on TCP or UDP level are retransmitted. So, this will save you a lot of search work.
Regards,
Robert
first a small part of RFC791 (Internet Protocol):
__________________________________________________
The internet fragmentation and reassembly procedure needs to be able to break a datagram into an almost arbitrary number of pieces that can be later reassembled. The receiver of the fragments uses the identification field to ensure that fragments of different datagrams are not mixed. The fragment offset field tells the receiver the
position of a fragment in the original datagram. The fragment offset and length determine the portion of the original datagram covered by this fragment. The more-fragments flag indicates (by being reset) the last fragment. These fields provide sufficient
information to reassemble datagrams.
The identification field is used to distinguish the fragments of one datagram from those of another. The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the
time the datagram will be active in the internet system. The originating protocol module of a complete datagram sets the more-fragments flag to zero and the fragment offset to zero.
_________________________________________________________
So, the ID field is a more or less random number that is used by IP to reasamble fragments. It is very difficult and dangerous to use this to look for missing frames.
I don't know wich transport layer protocols you are using, but in case of TCP, i would use the Sequense numbering to figure out if any pakcets are lost (and retransmitted).
If you have a sniffer pro, the expert will tell you (somethimes, not always) wich packets on TCP or UDP level are retransmitted. So, this will save you a lot of search work.
Regards,
Robert
- Status
Similar threads
- Locked
- Question