Understand IP Fragmentation and Duplicate IP ID in Packet Analysis

Background

A user reported being confused by the contents of a recently captured packet, where two Ethernet packets looked like two fragments of a TCP/IP payload, because it had the Ethernet identifier IPv4 (0x0800), the IP ID showed the same value, and the source/destination IP address and port were the same. However, the IPv4 headers of the two packets did not have the identifiers for IP fragments:

  • Don’t Fragment Tag
  • More Fragments Tags
  • Fragment offset is 0

Judging from the data packet phenomenon reported by users, this is indeed a rather strange case, but network protocol analysis requires seeing is believing, after all, no one is an expert in guessing.

Problem Information

The basic information of the packet trace file is as follows:

The number of data packets is only 6, the packet capture client system is Win10, and Wireshark captures it directly. There is no alarm information in the entire data packet content, and everything is normal.

image.png

Problem Analysis

Based on the above data packet content, including Wireshark’s judgment and analysis, there is actually no problem. However, as users feedback, there is suspected IP fragmentation. The reason for judgment is the existence of the same IP ID .

Expand the IP ID information, and indeed, as the user said, packets No. 2 and No. 4 have the same IP ID value 0x135e .

Understand IP Fragmentation and Duplicate IP ID
image.png

IP ID and fragmentation

First of all, what is IP ID? It actually refers to IPv4 Identification . For details, see RFC 791:

image.png
Identification:  16 bits

    An identifying value assigned by the sender to aid in assembling the fragments of a datagram.

As RFC 791explained in , IP ID is an identification value assigned by the sender to assist in assembling datagram fragments. RFC 6864 Updated Specification of the IPv4 ID FieldRelated concepts are also defined in :

In IPv4, the Identification (ID) field is a 16-bit value that is unique for every datagram for a given source address, destination address, and protocol, such that it does not repeat within the maximum datagram lifetime (MDL) [RFC791] [RFC1122].  As currently specified, all datagrams between a source and destination of a given protocol must have unique IPv4 ID values over a period of this MDL, which is typically interpreted as two minutes and is related to the recommended reassembly timeout [RFC1122].  This uniqueness is currently specified as for all datagrams, regardless of fragmentation settings.

In IPv4, the ID is unique for a given source address, destination address, and protocol, and will not be repeated within the maximum datagram lifecycle. Generally speaking, the sender often uses an incremental value, as shown below. Of course, given the source address, destination address, and protocol, different streams transmitted at the same time will share the IP ID value, so sometimes the IP ID values ​​of the upper and lower packets in the same stream will be spaced and not continuous.

image.png

Speaking of IP fragmentation, due to the need for fragmentation and reassembly, a unique ID is required. Therefore, the same datagram will eventually generate multiple datagrams with the same IP ID due to the requirements of fragmentation. The following example takes a Ping packet of 5600 bytes as an example. Due to the MTU 1500, it is divided into 4 datagrams, whether it is an icmp request or an icmp reply.

image.png
image.png

Further analysis

In summary, the user judged that there was fragmentation based on the condition of IP ID duplication , but there were no fields that should exist for fragmentation, such as Don’t fragment, More fragments, etc., so doubts arose.

But in fact, in addition to the IP fragmentation scenario that causes IP ID duplication, duplication may also occur in some special scenarios:

  1. In high-speed transmission scenarios, the 16-bit value of the IP ID cannot guarantee that the IP ID in the packet tracking file will not be repeated. If it continues to increase to the end, it will be another cycle;
  2. Some systems do not assign IP ID values ​​at the protocol stack level, and the datagram IP ID value will be displayed as 0x0000;
  3. Some intermediate devices have the ability to change IP ID values, such as NAT, security devices, proxies, or load balancers. Since they have the ability to change, they may change to the same value;
  4. An error at the protocol stack level may result in duplicate IP ID values ​​being assigned, including at the sender or intermediate device.

The user’s packet trace file also illustrates this problem very well. No.1, No.2 and No.4 are actually three consecutive TCP segments. The TCP Seq Num clearly shows that they are not real IP fragments, and naturally there is no fragment field. Based on the RFC definition of the use of IP ID, its repetitiveness will not cause transmission problems, so Wireshark judges that there is nothing abnormal here.

image.png

Therefore, my personal judgment on this user’s problem is that there is an error at the protocol stack level, and duplicate IP ID values ​​are assigned. Because of the unknown operating environment, the problem may be at the sending end or at the intermediate device.

Summary of the problem

Grasp the basic knowledge points, combine them with various scenarios, and reasonably restore the truth of the data packet.

Click to rate this post!
[Total: 0 Average: 0]