nmap option '-f' (fragment) doesn't work on Linux v2.4

[milosevic () fastmail fm]

It appears that the "fragment" option doesn't work on Linux v2.4,
or at least v2.4.18, which is what I'm running. "tcpdump" reveals that
"nmap -sS -f -P0" transmits a single 40 byte SYN packet. On Linux v2.2,
the same action produces two fragments of 36 and 24 bytes,
as described in the manual.

It seems that this is not nmap's fault. Experimentation with raw
sockets shows that the kernel attempts to defragment all locally-
generated packets. Nothing is transmitted until the final fragment
is submitted to the kernel, at which point a single unfragmented
packet appears on the wire.

Linux v2.2 seems to preserve locally generated fragments regardless
of the value of the /proc/sys/net/ipv4/ip_always_defrag switch.
In Linux v2.4, this switch doesn't even exist.

Is there some way to get around this "feature" of Linux v2.4, so that
"nmap -f" can perform its intended function?

Another (possibly stupid) question: why doesn't nmap fragment the TCP
segment at offset 8 instead of 16, so that the TCP flags appear in
the second fragment? Wouldn't that have a better chance of confusing
gateways and firewalls, especially in the common case that SYN packets
with a particular destination port are filtered?

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).