Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The RFC (rfc6864 - Updated Specification of the IPv4 ID Field) mentions that the field has been used for various reasons in the past.

Are the MAC addresses real or was the capture modified?
It's only one vendor (example: eth.addr == 00:09:fb:c8:88:7e) that is doing this.
The device mainly uses 76 but in frame 369 has what looks more normal - 59103.
Can you open a support ticket directly with that vendor?

$ ./tshark -r /tmp/mozilla_admin10/*BFR -T fields -e ip.id | sort | uniq -c | sort -n | tail -10
     46 0x000000d0
     56 0x0000006a
     57 0x0000009c
     58 0x00000042
    105 0x00000068
    205 0x0000005c
    363 0x00000046
    607 0x00000090
   1433 0x00000000
   5612 0x0000004c
$

The RFC (rfc6864 - Updated Specification of the IPv4 ID Field) mentions that the field has been used for various reasons in the past.

Are the MAC addresses real or was the capture modified?
It's only one vendor (example: eth.addr == 00:09:fb:c8:88:7e) that is doing this.
The device mainly uses 76 but in frame 369 has what looks more normal - 59103.
Can you open a support ticket directly with that vendor?

$ ./tshark -r /tmp/mozilla_admin10/*BFR /tmp/mozilla/*BFR -T fields -e ip.id | sort | uniq -c | sort -n | tail -10
     46 0x000000d0
     56 0x0000006a
     57 0x0000009c
     58 0x00000042
    105 0x00000068
    205 0x0000005c
    363 0x00000046
    607 0x00000090
   1433 0x00000000
   5612 0x0000004c
$