What is the increment value used in Identification field of ip_Header?

Question

I opened a telnet session and wireshark ..and observed the connection.

what I know is that the normal increment of ip ident field is "1" (in case of no fragmentation) but if fragmentation happened the identification field will remain the same over all fragments

But as I saw ..it is not 1 ..it is randomly changing value

So what is the algorithm in incrementing the ident field ?

Another question : if the DF flag was set ..do we look at the ident field or we just ignore it ?

Answer 1

i found that the increment value depend on time between packets ..in telnet : if u sent frequent fast chars ..id will be incremented by one ..if u sent chars in slow speed ..u will notice the difference ..i didnt figure out the real relation ...but it is related to time ..

Answer 2

This is very implementation-dependent--in fact the differences are exploited to do OS fingerprinting. For example, some Windows systems increment ID, but send the field in host-byte order rather than network-byte order.

It doesn't really matter and doesn't cause problems since ID is only used for fragmentation. So as you suggest, if DF is set, you can probably ignore ID, though I would sanity check that frag offset is 0 and total length matches the amount of data received.

Answer 3

My guess would be that it's pseudorandom, in order to make it harder for an attacker to guess the sequence and spoof the packets. What operating system is generating the funky identification values?