Russell Fulton wrote: > For some time now snort has been logging 'Tiny Fragments' coming from > several different addresses. Here is a sample: > > Packet 1 > TIME: 10:04:55.405457 > LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP > IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09 > MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E > TCP: port 0 -> 0 seq=0000000000 ack=0000000000 > hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666 > DATA: <No data> > --------------------------------------------------------------------------- > Packet 2 > TIME: 10:04:55.481006 (0.075549) > LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP > IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12 > MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65 > TCP: port 0 -> 0 seq=0000000000 ack=0000000000 > hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577 > DATA: <No data> > > Note More Fragments and Don't fragment are both set to 1?? > > The packets arrive in pairs, both to the same destination address. Might it be hping running in two-fragments mode? hping data portions are small; when split into two, it will be tiny. Busy now so cannot verify with a sniffer trace; sorry. regards, -bd ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 10:38:41 PDT