Information Technology Reference
In-Depth Information
5.2.2 Manipulating the IP ID Field
The ID field of the IP protocol is used by routers and hosts to reassemble the
packets received. It works by giving a unique value to every packet so that they can
be reassembled correctly after fragmentation.
This method substitutes the ID field for a value that represents the information (for
simplicity we can use an ASCII character) to be coded and sent. The transmission is
not altered in any way, only what is transmitted, and the recipient only has to read
the ID field and translate it, using a decoding algorithm, into the ASCII value which
the source intended to transmit.
Here is a brief example of traffic received by
Tcpdump
showing how the text string
(“MICKEY”) can be transmitted to a Web server. The decoding algorithm subtracts
one from the ID field and then performs Mod 256 to obtain the original ASCII value.
Ascii('M') = 77
Ascii('I') = 73
Ascii('C') = 67
Ascii('K') = 75
Ascii('E') = 69
Ascii('Y') = 89
10:38:59.797237 IP (ttl 47, id 26702) foo.bar.com.57459 >
test.bar.com.www: ...
Decoding: ... (26702 - 1) mod 256 = 77 = 'M'
10:39:00.797237 IP (ttl 47, id 34378) foo.bar.com.48376 >
test.bar.com.www: ...
Decoding: ... (34378 - 1) mod 256 = 73 = 'I'
10:39:01.797237 IP (ttl 47, id 36164) foo.bar.com.17583 >
test.bar.com.www: ...
Decoding: ... (36164 - 1) mod 256 = 67 = 'C'
10:39:02.797237 IP (ttl 47, id 23884) foo.bar.com.26587 >
test.bar.com.www: ...
Decoding: ... (23884 - 1) mod 256 = 75 = 'K'
10:39:03.797237 IP (ttl 47, id 27206) foo.bar.com.18957 >
test.bar.com.www: ...
Decoding: ... (27206 - 1) mod 256 = 69 = 'E'
10:39:04.797237 IP (ttl 47, id 20048) foo.bar.com.31769 >
test.bar.com.www: ...
Decoding: ... (20048 - 1) mod 256 = 79 = 'Y'
This method uses a forged ad hoc packet with correct destination and source fields
and the coded information contained in the ID field. The remote host receives the
