https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137308#M24517 <P>While it is possible to have a capture point of <STRONG>id</STRONG> (inbound before decrypt), the field you have circled in your screenshot is the IP Layer 3 header field "Identification", not the Layer 4 TCP sequence number.&nbsp; The IP ID field is supposed to be unique for each individual packet associated with a single connection (srcip,sport,dstip,dport) in order to support fragmentation and reassembly.&nbsp; All fragments of the same datagram will have an identical IP ID, and as such the reassembling system can put them back together.&nbsp;</P> <P>However if the DF (Don't fragment) bit is set, fragmentation is not allowed and the IP ID is irrelevant.&nbsp; The most common type of traffic that has DF set in my experience is ESP/IPSec.&nbsp; I suspect that the DF bit is set in those packets you captured, and that is why the IP ID was left as 0 by the sending system because it simply doesn't matter.&nbsp;</P> <P>Here is a diagram from my Max Capture video series identifying the IP ID field, which by default is only shown from the CLI when using&nbsp;<STRONG>fw monitor</STRONG>.&nbsp; I would speculate that the reason <STRONG>fw monitor</STRONG> shows this field by default in CLI output is because the same packet is displayed many times at the various capture points, and the IP ID can be a handy visual reference to verify that several lines of output are actually the same packet, since the multiple lines for a single packet will all have the same IP ID.&nbsp; Also possible that <STRONG>fw monitor</STRONG> shows the IP ID because traffic displayed by <STRONG>fw monitor</STRONG> has already been virtually reassembled if fragmentation is present, whereas <STRONG>tcpdump</STRONG> and <STRONG>cppcap</STRONG> will just show you the original fragments instead.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tools.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14724i8F047EDA320D8953/image-size/large?v=v2&amp;px=999" role="button" title="tools.png" alt="tools.png" /></span></P> Tue, 28 Dec 2021 13:20:49 GMT Timothy_Hall 2021-12-28T13:20:49Z https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137261#M24513 <P>Hey guys,</P><P>I was using fwmonitor and I came across some information.</P><P>What does id = 0 mean in the fwmonitor utility?</P><P>I know it shows the packet's sequence number, but does the zero have any meaning?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2021-12-27 at 10.59.54.jpeg" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14709i05F1DE2ECC36D347/image-size/medium?v=v2&amp;px=400" role="button" title="WhatsApp Image 2021-12-27 at 10.59.54.jpeg" alt="WhatsApp Image 2021-12-27 at 10.59.54.jpeg" /></span></P><P> </P> Mon, 27 Dec 2021 18:01:57 GMT https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137261#M24513 Marquevis 2021-12-27T18:01:57Z https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137266#M24514 <P>Below might answer your question</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/id-ID-and-OE-inspection-points-in-R80-20-GA/td-p/35176" target="_blank">https://community.checkpoint.com/t5/General-Topics/id-ID-and-OE-inspection-points-in-R80-20-GA/td-p/35176</A></P> Mon, 27 Dec 2021 18:31:31 GMT https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137266#M24514 the_rock 2021-12-27T18:31:31Z https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137308#M24517 <P>While it is possible to have a capture point of <STRONG>id</STRONG> (inbound before decrypt), the field you have circled in your screenshot is the IP Layer 3 header field "Identification", not the Layer 4 TCP sequence number.&nbsp; The IP ID field is supposed to be unique for each individual packet associated with a single connection (srcip,sport,dstip,dport) in order to support fragmentation and reassembly.&nbsp; All fragments of the same datagram will have an identical IP ID, and as such the reassembling system can put them back together.&nbsp;</P> <P>However if the DF (Don't fragment) bit is set, fragmentation is not allowed and the IP ID is irrelevant.&nbsp; The most common type of traffic that has DF set in my experience is ESP/IPSec.&nbsp; I suspect that the DF bit is set in those packets you captured, and that is why the IP ID was left as 0 by the sending system because it simply doesn't matter.&nbsp;</P> <P>Here is a diagram from my Max Capture video series identifying the IP ID field, which by default is only shown from the CLI when using&nbsp;<STRONG>fw monitor</STRONG>.&nbsp; I would speculate that the reason <STRONG>fw monitor</STRONG> shows this field by default in CLI output is because the same packet is displayed many times at the various capture points, and the IP ID can be a handy visual reference to verify that several lines of output are actually the same packet, since the multiple lines for a single packet will all have the same IP ID.&nbsp; Also possible that <STRONG>fw monitor</STRONG> shows the IP ID because traffic displayed by <STRONG>fw monitor</STRONG> has already been virtually reassembled if fragmentation is present, whereas <STRONG>tcpdump</STRONG> and <STRONG>cppcap</STRONG> will just show you the original fragments instead.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tools.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14724i8F047EDA320D8953/image-size/large?v=v2&amp;px=999" role="button" title="tools.png" alt="tools.png" /></span></P> Tue, 28 Dec 2021 13:20:49 GMT https://community.checkpoint.com/t5/General-Topics/id-0-in-fwmonitor/m-p/137308#M24517 Timothy_Hall 2021-12-28T13:20:49Z