When a host needs to resend a packet (whatever the payload), is there any field in the header that gets modified, so that you can tell that it is a duplicate packet?
Asked
Active
Viewed 2,716 times
1 Answers
1
No. IP packet are not resent, that's a function of the higher protocol layers.
Some transport protocols, e.g. TCP or SCTP have retransmission built into them that re-sends packets at that protocol layer, some application protocols, e.g. DNS, applies retransmission at the application protocol layer.
The IP layer does not know or care about this, there is no protocol fields that identifies a retransmission from a higher layer.
nos
- 223,662
- 58
- 417
- 506
-
True, I totally forgot. OK. But is there a field in TCP packets for this? – Ricky Robinson Aug 06 '12 at 16:35
-
No there is not. You'll have to track the sequence numbers. – nos Aug 06 '12 at 16:40
-
Oh ok, so you're saying that sequence numbers are different, right? I'm asking because I have to match ICMP packets with their corresponding data packet and I'm having some trouble with duplicates. – Ricky Robinson Aug 06 '12 at 19:43
-
@Ricky Robinson You'd need to keep track of the sequence numbers, or at least the packets that fit inside the sliding window. i.e. if you've seen TCP sequence number 7,8,9,11,12 you know another packet with sequence number 12 is a retransmission. You can also know that packets with sequence number <= 9 is a retransmission. But if you get packet 10 or any > 12, it's not a retransmission. However, matching ICMP is an other matter, an ICMP packet (usually) carries back the IP packet that caused the problem, you can match this on the IP identification field combined with the source/destination IP. – nos Aug 06 '12 at 19:55
-
That is, not the IP identification + source/destination address of the IP packet carrying the ICMP packet, but of the IP packet carried by ICMP. – nos Aug 06 '12 at 20:00
-
Yes, it has to be the IP-in-ICMP layer. Thanks for the reply, you brushed up my memory on this. So, in your opinion, instead of comparing IP header + first 8 bytes of payload, I could make it easier for myself and just compare IP source and destination + IP identification field. Interesting. I just read about the identification field [here](http://www.networksorcery.com/enp/protocol/ip.htm). Will this be enough for the 4-tuple (IP src, IP addr, proto, IP identification field) to be unique? – Ricky Robinson Aug 07 '12 at 09:30
-
My problem with ICMP matching comes up because I'm replaying user traffic with a low TLL value. Hence duplicates packets as well. This means that for n duplicate packets that I'm replaying, I will get as many as n ICMP packets back. Now, how do I know which one belongs to which? Is it even possible to identify such thing? I'm afraid the only solution will be to simply remove duplicate packets all together from the traffic I'm replaying. – Ricky Robinson Aug 07 '12 at 09:32
-
@Ricky Robinson Well, can't you do what I mentioned ? Peek inside the IP packet that ICMP carries back, and find the packet you sent that has the same source/destination IP and IP identification field ? Note that ICP is often throtteled, so you might not get an ICMP packet for every "error". – nos Aug 07 '12 at 10:08
-
I'll try in an hour. I guess ICP was a typo for ICMP, right? If I send each data packet every, say, 0.1 seconds, I shouldn't experience any throttling, I think. – Ricky Robinson Aug 07 '12 at 10:47
-
No, the IP ID is not a unique identifier at all. I posted more details here: http://stackoverflow.com/questions/12141522/matching-data-packets-and-icmp-packets-in-case-of-tcp-duplicates – Ricky Robinson Aug 27 '12 at 16:27
-
@Ricky Robinson Well, that means you're tricking the IP stack somehow, and not letting the IP layer assign an identification field. (e.g. if you're using raw sockets) - in which case, yea - the id field (combined with the IP addresses ) is not enough. – nos Aug 27 '12 at 16:36
-
Oh ok. I'm using Scapy, which sits on top of raw sockets. – Ricky Robinson Aug 27 '12 at 18:30