[ipv6hackers] Question on tools use to monitor fragmented packet attacks

Fernando Gont fgont at si6networks.com
Sat Apr 13 04:01:18 CEST 2013

Hi, Jim,

On 04/12/2013 07:28 PM, Jim Small wrote:
> What I notice is that often times when I fragment packets (e.g. RAs)
> Wireshark will complain about a malformed frame in the IPv6 decode.

What kind of errors are you getting with wireshark?

> Whenever this happens, it seems like Windows 7 also ignores/doesn't
> process the frames. 

Note that some implementations ignore some fragmented ND packets. --
kind of what draft-ietf-6man-nd-extension-headers proposes.

 I wanted to ask - when you are attacking/probing/fuzzing systems with
> fragmented packets - what tools are you using to monitor the frames?
> If Wireshark fails do you use tcpdump, a hex decoder, or something
> else?

I've mostly used wireshark, and sometimes tcpdump -- what's sometimes
confusing with wireshark is that, by default, it reassembles the packets
-- so what you see in the packet decode is not always what you see on
the wire.

Side note: At times I've found that some options are not supported...
Others that I expected alarms to go off but they didn't (e.g., at some
point I was sending IPv6 pckets and had fail to set the IPv6 version
field -- packets were being dropped, and there was no clear indication
of why). -- So at times I've had to manually decode packets, by
leveraging wireshark's or tcpdump's hex dumps.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list