As part of the internet measurements course at TU Dresden we set up a measurement project of IP identification. IP ID is a header field defined in IPv4 packets originally used for reassembling fragmented datagrams from multiple packets.

This project was two-fold - firstly, individual operating systems were examined for their use of the IP ID field in the IPv4 header. Scans were done manually or with the help of tools like Zmap. IP ID usage is mostly the same for Linux and Windows. For smaller packets the IP ID header field is set to 0 (e.g. SYN ACK, RST). If a proper TCP connection has already been established the IP ID is incremented by one for every new packet. UDP and ICMP use random values for the IP ID. Every packet gets incremented by a pseudo random value.

Secondly, a specific set of devices across the internet was examined. The required IP addresses were acquired by using shodan.io. With specific filters one is able to get results for specific devices or operating systems. Around 1,000 IP addresses of Cisco devices were downloaded and filtered for duplicates. All devices were subjected to TCP-SYN, UDP, and ICMP echo scans along all ports. The response’s IP IDs for TCP can be seen in the bar chart.