This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

udp multiple packet with same ip id

0

Multiple udp packets in a same session are showing same ip identification no. but has different data interestingly no fragmention also.

asked 09 May '13, 10:01

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

Can you post a capture file somewhere, perhaps www.cloudshark.org? Of course, it should not contain any confidential data.

(09 May '13, 10:43) Jim Aragon

No sir i cannot due to limitation

(09 May '13, 22:40) kishan pandey

2 Answers:

3

If the UDP session is long lived, you are bound to see multiple packets with the same identification fiels. The field is only 16 bits long, so it rolls over every 65536 packets. How much time (and packets) do you see between the packets with the same ID?

answered 09 May '13, 12:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 10 May '13, 03:23

grahamb's gravatar image

grahamb ♦
19.8k330206

Amazing sir,its true there are 4 packets and gap between each of them is 65470 packets and time difference is around 110 seconds.Than it should be same in tcp as well?

(09 May '13, 23:05) kishan pandey

Yes, it is the same for all protocols running on top of IP.

(09 May '13, 23:49) SYN-bit ♦♦

0

Hi Kurt thanks a lot, one small correction was than tshark -r file_1.pcap -T fields -e ip.id -e frame.number | sort > file_1.txt

answered 10 May '13, 04:58

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

I guess this "answer" was meant to be a comment on this question, but I can't figure out how to move it.

(10 May '13, 05:56) grahamb ♦