Can someone please explain or point me to the proper documentation that explains what the IP.ID field tells me and how to properly interpret it? I have done some searching and have been unable to find a clear definition. Thanks.
asked 09 Jul '14, 14:12
The following RFC explains it pretty much in detail
The short story: One purpose (probably the most important one) of the IP ID field is to enable systems to distinguish IP fragments and to do de-fragmentation or reassembly.
For a troubleshooter the IP ID field is interesting as well. If you see duplicate IP IDs in a capture file, it's usually a sign for a switching/routing loop somewhere, given the capture setup is O.K. and does not create duplicate frames itself (like mirroring the wrong ports on a switch).
Furthermore, if you capture at two different places between client and server you can use the IP ID field to figure out if some frames got lost on the way, given there is no network devices on the path that does IP ID rewriting (for security reasons, or as a result of some NAT operation). You do that by comparing the (sorted) list of the IP IDs of both capture files.
answered 09 Jul '14, 14:27
Kurt Knochner ♦