IP ID 0x0000

Question

Created Feb ’22

Replies 2

Boosts 0

Views 1.2k

Participants 2

I am analyzing a pcap from an OS X 12.1 (Monterey) box ... I notice that this stack mostly sets IP ID to 0x0000. Sometimes, it starts incrementing by 1, e.g. 0x0000, 0x0001, 0x0002, 0x0003 ... but it generally doesn't get far before it returns to 0x0000 At the moment, I'm filtering on tcp.port==443

I haven't seen this behavior -- I'm used to seeing IP ID increasing steadily, then wrapping at 0xFFFF and starting over

Would anyone be willing to speculate as to why Monterey might not want to bother setting IP ID? Thinking about this, I suppose a non-zero IP ID is not essential to the success of a conversation ... but it does seem odd to me

--sk

Stuart Kendrick

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’22

So, just to be clear, you’re talking about the Identification in the IPv4 header, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

skendric OP

Feb ’22

OK, I've reading the relevant RFC, and I can, I believe, answer this question. Since the IP Identification field is not required for frames flagged as "Don't Fragment", some stacks set it to an arbitrary value, like 0x0000, whenever they set the Don't Fragment bit. This disappoints network analysts like myself, because it makes pcap analysis harder, but nevertheless this is RFC-compliant behavior.

--sk

0