Sorry I am less than clear; practical example follows.
Using the world's most widely used enterprise router and software, if I reboot many times, I get (mostly) the precise same sequence of SNMPv1 traps from the same IP address/port with the same OIDs and the same values. The only difference from one sequence to another is in the (copy of the) sysUpTime, which, reset on boot, has a very small standard deviation, more like hundredths of a second as opposed to a second. (These boxes really are predictable).
So when, as has happened, the router boots and crashes during startup and does so every two minutes or less, how can I distinguish this situation from packets getting duplicated in the network, even perhaps as part of a malicious replay attack?
I think of TCP connection startup where I can tell because (most) systems use a pseudo-random seed to initialise the sequence number so I expect to detect a duplicate SYN or SYN-ACK.
If the request-id was pseudo-random, no problem - but it isn't!
SNMPv3 would have a boot count but SNMPv1 packets, native or created via RFC2576, do not.
Tom Petch, Network Consultant
+(44) 192 575 3018