Force a server to send fragments?

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

I want to see if any TCP experts out there know the answer to this.

In Snort, I have seen many hosts send many fragmented TCP packets (MF bit
set, no src or dst port) to a server, and occasionally have that server
respond with a fragmented TCP packet instead of a standard TCP packet.
Normally with native TCP, all responses from any server are standard-sized,
unfragmented packets regardless of what type of packets are being received.
So if a server is receiving fragmented packets from a host or standard
unfragmented packets from a host, regardless, it always replies back with
standard-sized, unfragmented TCP packets during a TCP session.

Well during testing, I've been able to send fragmented TCP packets to a
server, and have it reply back with fragmented packets (MF bit is set and
there are no src or dst ports). An example trace where I saw this is below.

I was wondering if it's possible to force a server to generate fragmented
packets like this?


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/27-21:10:03.975761 internal_server -> unknown_internet_host
TCP TTL:51 TOS:0x0 ID:14447 IpLen:20 DgmLen:52 MF
Frag Offset: 0x0   Frag Size: 0x20
.P..\.K>\.K>.."8................
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thanks

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users