Where can I find IP fragmented Sample pcaps for WireShark?

M

2

5

Are there any sources where I can find different pcaps samples for IP fragmented data (WireShark compatible)?

Menorrhagia answered 1/5, 2011 at 10:50 Comment(0)

L

2

Take a look at the Wireshark Sample Captures wiki and search for fragments... for instance, they have the Teardrop overlapping IP fragment attack

Sending that to PCs would lock up an unpatched Windows 95 machine...

EDIT

If you want to see general IP fragmentation, I can't think of a capture offhand, but you can simulate IP fragmentation with creative use of tcprewrite under *nix.

Loch answered 1/5, 2011 at 10:56 Comment(7)

@Mike, thanks. I already looked at that one but I wonder if there are more comprehensive samples somwhere – Menorrhagia 1/5, 2011 at 11:1

@Wajih, when you say comprehensive, what additional data points are you looking for? – Loch 1/5, 2011 at 11:3

@Mike, like IP fragmentation of FTP data, images, files etc. Which are then reconstructed by WireShark. – Menorrhagia 1/5, 2011 at 11:5

@Wajih, do you have access to a linux machine? – Loch 1/5, 2011 at 11:15

@Mike, Ubuntu is the best I got – Menorrhagia 1/5, 2011 at 11:16

@Wajih, nothing wrong with Ubuntu... check out my edit. If you're willing to rewrite a pcap, then tcprewrite will allow you to see what normal IP fragmentation looks like. Just feed it any FTP transfer and it will fragment at whatever IP mtu you specify. – Loch 1/5, 2011 at 11:20

@Wajih, sure thing... I use debian, so it is the tcpreplay package... I'm not sure what Ubuntu does, but usually they have the same package names... – Loch 1/5, 2011 at 11:23

T

5

See the files attached to the following Wireshark bug reports for examples of IP fragmentation.

I would note that IP fragmentation is IP fragmentation regardless of the payloads carried over IP;

What are you looking for that you wish to see "IP fragmentation of FTP data, images, files, etc" ?

Is it actually TCP re-assembly that you wish to look at ?

Bug 2651: sas.cap

Bug 713: nfs_udp.pcap

Tactical answered 2/5, 2011 at 14:35 Comment(0)

L

2

Take a look at the Wireshark Sample Captures wiki and search for fragments... for instance, they have the Teardrop overlapping IP fragment attack

Sending that to PCs would lock up an unpatched Windows 95 machine...

EDIT

If you want to see general IP fragmentation, I can't think of a capture offhand, but you can simulate IP fragmentation with creative use of tcprewrite under *nix.

Loch answered 1/5, 2011 at 10:56 Comment(7)

@Mike, thanks. I already looked at that one but I wonder if there are more comprehensive samples somwhere – Menorrhagia 1/5, 2011 at 11:1

@Wajih, when you say comprehensive, what additional data points are you looking for? – Loch 1/5, 2011 at 11:3

@Mike, like IP fragmentation of FTP data, images, files etc. Which are then reconstructed by WireShark. – Menorrhagia 1/5, 2011 at 11:5

@Wajih, do you have access to a linux machine? – Loch 1/5, 2011 at 11:15

@Mike, Ubuntu is the best I got – Menorrhagia 1/5, 2011 at 11:16

@Wajih, nothing wrong with Ubuntu... check out my edit. If you're willing to rewrite a pcap, then tcprewrite will allow you to see what normal IP fragmentation looks like. Just feed it any FTP transfer and it will fragment at whatever IP mtu you specify. – Loch 1/5, 2011 at 11:20

@Wajih, sure thing... I use debian, so it is the tcpreplay package... I'm not sure what Ubuntu does, but usually they have the same package names... – Loch 1/5, 2011 at 11:23

EDIT

EDIT

Recommended topics

Hot tags