[ipv6hackers] Question on tools use to monitor fragmented packet attacks

Owen DeLong owend at he.net
Sat Apr 13 22:44:00 CEST 2013


I've found tcpdump to be a much easier and more versatile tool for this purpose as well.

TCPdump's cleverness is usually a bit less "overly-clever" than wireshark and it seems to do a better job of noticing what is wrong and flagging it.

YMMV.

Owen

On Apr 13, 2013, at 00:58 , Marc Heuse <mh at mh-sec.de> wrote:

> Hi Jim,
> 
> I use Wireshark, and ignore the decoding and just examine the hexdump
> itself :-)
> Wireshark tries to be clever, and of course when things are on purpose
> not standard it fails.
> 
> Greets,
> Marc
> 
> On 13.04.2013 00:28, Jim Small wrote:
>> I've been doing a lot of work with Marc's THC IPv6 tools and Fernando's IPv6 Toolkit.  My tool of choice for monitoring is Wireshark.  I use a combination of monitoring from the attack system, the attacked system, and ingress/egress switchport SPAN/Monitor captures.
>> 
>> What I notice is that often times when I fragment packets (e.g. RAs) Wireshark will complain about a malformed frame in the IPv6 decode.  Whenever this happens, it seems like Windows 7 also ignores/doesn't process the frames.  I've mostly been focused on attacking and defending so I haven't dug into why this is just yet.
>> 
>> I wanted to ask - when you are attacking/probing/fuzzing systems with fragmented packets - what tools are you using to monitor the frames?  If Wireshark fails do you use tcpdump, a hex decoder, or something else?
>> 
>> Please let me know,
>>  --Jim
>> 
>> 
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
> 
> -- 
> --
> Marc Heuse
> Mobil: +49 177 9611560
> Fax: +49 30 37309726
> www.mh-sec.de
> 
> Marc Heuse - IT-Security Consulting
> Winsstr. 68
> 10405 Berlin
> 
> Ust.-Ident.-Nr.: DE244222388
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers




More information about the Ipv6hackers mailing list