TCP tries really hard to avoid fragmentation, by setting the DF flag and reducing the MSS when it sees a PTB error.
Of course that sometimes fails, so if you still have TCP fragmented segments, the next best thing is to filter by source/destination address, saving to a PCAP file, then run tshark on that file with the "-2" flag which does packet reassembly.
(I don't know if tshark can be made to do on-the-fly reassembly, that would require keeping a buffer of un-reassembled fragments until the rest of the packets are seen.)
I'm not sure, but you can probably just capture all ip fragments and do a second pass with something later?
When I was running a webserver with worldwide audience and 40+ Gbps traffic (most of that was our apk though), I saw no more than a couple fragments per second; unless there was some UDP reflection DDoS going on and I was getting fragments from that.
Lots of high profile sites don't even accept ip fragmentation because it's too costly to deal with.
johnnny|3 years ago
Of course that sometimes fails, so if you still have TCP fragmented segments, the next best thing is to filter by source/destination address, saving to a PCAP file, then run tshark on that file with the "-2" flag which does packet reassembly.
(I don't know if tshark can be made to do on-the-fly reassembly, that would require keeping a buffer of un-reassembled fragments until the rest of the packets are seen.)
toast0|3 years ago
When I was running a webserver with worldwide audience and 40+ Gbps traffic (most of that was our apk though), I saw no more than a couple fragments per second; unless there was some UDP reflection DDoS going on and I was getting fragments from that.
Lots of high profile sites don't even accept ip fragmentation because it's too costly to deal with.
tptacek|3 years ago