Wireshark-bugs: [Wireshark-bugs] [Bug 11091] New: IP.ID does not uniquely id packets, Use ip add

Date: Sat, 28 Mar 2015 02:21:35 +0000
Bug ID 11091
Summary IP.ID does not uniquely id packets, Use ip addresses, ports and id to compare packets from two files
Product Wireshark
Version 1.6.7
Hardware x86
OS Windows XP
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component GTK+ UI
Assignee [email protected]
Reporter [email protected]

Build Information:
Build Information: Wireshark 1.6.7
--
The compare two files feature assumes the ip.id uniquely identifies IP packets
and provides the option to identify endpoints via MAC or TTL.  This enhancement
extends the goal identified in Bug 2580 (to detect foreign intrusion) to allow
calculation of transmission delay and allow calculation of processing delay
introduced by network devices (e.g., bridge or firewall).

Requested enhancements:
1)  Ip.id is not unique across multiple flows.  For example, Iperf generates
parallel streams between a source and destination, but only increases the ip.id
for each packet in each flow.  This leads to many "More than two packet"
messages.
  For each packet compare the ip.src, ip.dst, (tcp|udp).srcport,
(tcp|udp).dstport, and ip.id.  This should provide fewer "more than two packet"
messages and reduce false negatives.  Note for other IP protocols, use 0 for
port.

2)  Endpoint detection assumes a router is present between capture points. 
Allow selection of MAC, TTL or none option.  The none option would disable the
endpoint coloring and would be used when a router is not present between
capture points.  

3)  The tool should assume "ip" is part of the filter.

Use Cases:
1)  Transmission delay - The feature currently allows this use case, but it
would be enhanced by reducing the number of "more than two packets" problem.

2)  Processing delay - 
  Capture files may be produced on both sides of the device under test (DUT).
  The checks provide the following indications:
   * Missing packets either indicates the packets were intended for or
generated by the DUT, the DUT choose not to forward the packet, or the DUT
could not process all of the packets.  The first indication could be filtered. 
Hopefully the DUT provides a log to assess the last two indications.
   * Different checksum indicates the packets were mutated by the DUT.  For
example an IP Option was added.  This may be intended behavoir of DUT.
   * Large delay indicates the processing delay exceeds expectations.


You are receiving this mail because:
  • You are watching all bug changes.