COMMAND
kernel
SYSTEMS AFFECTED
Win32
PROBLEM
Ofir Arkin found following. RFC 792 (Internet Control Message
Protocol) suggests how the ICMP Identifier field and the ICMP
Sequence Number field should be used:
"The identifier and sequence number may be used by the echo
sender to aid in matching the replies with the echo requests.
For example, the identifier might be used like a port in TCP
or UDP to identify a session, and the sequence number might be
incremented on each echo request sent. The echoer returns
these same values in the echo reply".
It literally suggests that the ICMP Identifier field will be used
to differentiate between ICMP Query messages sent to different
hosts. It also suggests that the ICMP Sequence Number field will
be used to differentiate between the ICMP query messages sent to
the same host.
The 'ping' utility with UNIX and UNIX-like operating systems has
adopted this suggestion.
When examining the behavior of the 'ping' utility with Microsoft
Windows based operating systems we had encountered a different
behavioral pattern.
The next example is a trace (using the windump program):
http://netgroup-serv.polito.it/windump/install/Default.htm
of ICMP Echo requests initiated by lunching two ping commands at
the same time from a Microsoft Windows 2000 SP1 operating system
based machine. One instant was aimed at the host 172.18.1.2, and
the other at the host 172.18.1.134:
E:\>windump -xnvv -s 1600 icmp
windump: listening on\Device\Packet_{79C233F1-6CD7-49EB-8FA2-FA825CB1C9C3}
11:31:21.848025 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
11071)
4500 003c 2b3f 0000 8001 b4a8 ac12 01b3
ac12 0102 0800 265c 0300 2400 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
11:31:22.221772 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
11075)
4500 003c 2b43 0000 8001 b420 ac12 01b3
ac12 0186 0800 255c 0300 2500 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
11:31:22.844726 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
11077)
4500 003c 2b45 0000 8001 b4a2 ac12 01b3
ac12 0102 0800 245c 0300 2600 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
11:31:23.215222 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
11078)
4500 003c 2b46 0000 8001 b41d ac12 01b3
ac12 0186 0800 235c 0300 2700 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
11:31:23.846116 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
11079)
4500 003c 2b47 0000 8001 b4a0 ac12 01b3
ac12 0102 0800 225c 0300 2800 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
11:31:24.216645 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
11080)
4500 003c 2b48 0000 8001 b41b ac12 01b3
ac12 0186 0800 215c 0300 2900 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869
As it can be seen, the ICMP Identifier field value is the same
with both instances. This is regardless the fact we are using
the 'ping' utility to send ICMP Echo requests to two separate
hosts. The number assigned to this field is 768 decimal.
So how does the 'ping' utility with Microsoft based operating
systems differentiate between the different ICMP Queries? The
'ping' utility is using the Sequence Number field. For each ICMP
Echo Request the ICMP Sequence Number is a unique number. The
gap between one ICMP Sequence Number field value to another is
100 hex/256 decimal.
This raises another interesting question.
If the ICMP Identifier field has a constant value, can we identify
the different Microsoft operating systems passively when someone
is using the 'ping' utility to query our machines? Yes.
Microsoft Windows NT - 256
Microsoft Windows 98/98SE - 512
Microsoft Windows 2000 - 512
Microsoft Windows ME - 768
Microsoft Windows 2000 Family with SP1 - 768
With the 'ping' utility with Microsoft based operating systems the
values assigned for the different ICMP datagram fields are OS
based (in contrast with the 'ping' utility on UNIX and UNIX-like
operating systems which uses the application own values for the
different ICMP datagram fields). When using other applications
with Microsoft based operating systems to generate ICMP Query
messages the ICMP Identifier field values will still be the same
as it was with the 'ping' utility, if these applications will be
using the Microsoft MFC.
Therefore when ever we see an ICMP Query datagram with an ICMP
Identifier field value of 256/512/768 it will indicate that the
underlying operating system to be used is an MS based.
We can also look at the ICMP Sequence Number field value for extra
information. The 'ping' utility with MS based operating systems
will issue its first ICMP Query message with the ICMP Sequence
Number field set to a value of 256 (the 'ping' utility with UNIX
and UNIX-like operating systems will have this field value set to
0 on its first query to a Host). This field value will increase
with 256 decimal each time we send an ICMP Query message (with the
UNIX and UNIX-like 'ping' utility the field value will increase
only if we are sending sequential Queries. Each time we issue the
'ping' command this field value will be set to 0 on the first
query to be sent).
We can even calculate the number of ICMP Query messages a Windows
based OS have issued since the last boot time. All we need to do
is divide the ICMP Sequence number field value with 256.
SOLUTION
Microsoft can argue that their ICMP implementation is not in
contrast with RFC 792, since the term that was used in order to
describe the usage of the ICMP Identifier field was "may be used".
But if we use common sense, than what role, in the Microsoft case,
the ICMP Identifier field has?