[ipv6hackers] Question on tools use to monitor fragmented packet attacks
Marc Heuse
mh at mh-sec.de
Sat Apr 13 09:58:42 CEST 2013
Hi Jim,
I use Wireshark, and ignore the decoding and just examine the hexdump
itself :-)
Wireshark tries to be clever, and of course when things are on purpose
not standard it fails.
Greets,
Marc
On 13.04.2013 00:28, Jim Small wrote:
> I've been doing a lot of work with Marc's THC IPv6 tools and Fernando's IPv6 Toolkit. My tool of choice for monitoring is Wireshark. I use a combination of monitoring from the attack system, the attacked system, and ingress/egress switchport SPAN/Monitor captures.
>
> What I notice is that often times when I fragment packets (e.g. RAs) Wireshark will complain about a malformed frame in the IPv6 decode. Whenever this happens, it seems like Windows 7 also ignores/doesn't process the frames. I've mostly been focused on attacking and defending so I haven't dug into why this is just yet.
>
> I wanted to ask - when you are attacking/probing/fuzzing systems with fragmented packets - what tools are you using to monitor the frames? If Wireshark fails do you use tcpdump, a hex decoder, or something else?
>
> Please let me know,
> --Jim
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the Ipv6hackers
mailing list