Two observations here
1) IP ID is usually incremented per packet. That means any other packet leaving the interface will increment the ID IP. This is not based on the S/D IP, but on a packet for any destination heading out the interface.
2) Several techniques to fool hackers cause the IP ID to not increment by one every packet, but by some random number. This prevents the hacker from fingerprinting the OS.
These 2 variables pretty much preclude the use of IP ID being used to reliably detect the conditions you described. You really have to dig into the upper layers to be sure.
Kevin Mason
On Friday, Apr 4, 2003, at 19:25 US/Eastern, Ben Carter wrote:
If this question has already been answered I apologize for my inability to find it in the mailing list archives or the FAQ..
Is it possible to display the IP identification number in the main display? This will be very helpful when examining UDP video streams for missing packets (these packet captures can be 120,000+ packets). Better yet, is there any way ethereal can raise some sort of flag when UDP packets arrive out of order or are missing?
Maybe a combination of tetherreal, awk and grep in a script?
Thank you for any help.
