Multiple udp packets in a same session are showing same ip identification no. but has different data interestingly no fragmention also. asked 09 May '13, 10:01  kishan pandey |
2 Answers:
If the UDP session is long lived, you are bound to see multiple packets with the same identification fiels. The field is only 16 bits long, so it rolls over every 65536 packets. How much time (and packets) do you see between the packets with the same ID? answered 09 May '13, 12:50  SYN-bit ♦♦ edited 10 May '13, 03:23  grahamb ♦ Amazing sir,its true there are 4 packets and gap between each of them is 65470 packets and time difference is around 110 seconds.Than it should be same in tcp as well? (09 May '13, 23:05) kishan pandey Yes, it is the same for all protocols running on top of IP. (09 May '13, 23:49) SYN-bit ♦♦ |
Hi Kurt thanks a lot, one small correction was than tshark -r file_1.pcap -T fields -e ip.id -e frame.number | sort > file_1.txt answered 10 May '13, 04:58 kishan pandey I guess this "answer" was meant to be a comment on this question, but I can't figure out how to move it. (10 May '13, 05:56) grahamb ♦ |
Can you post a capture file somewhere, perhaps www.cloudshark.org? Of course, it should not contain any confidential data.
No sir i cannot due to limitation