• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Network Security FAQs
• What is a firewall?
• How does firewall protection work?
• Where can I download a free firewall?
• What is a personal firewall?
• Where can I download a free personal firewall?
• What is a mobile firewall?
• How do I configure wireless security?
• What is a DMZ?
• What is an Intrusion Detection System (IDS)?
• What is a packet sniffer?
• How do I monitor Wireless Traffic?
• What is a port scanner?
• What is port forwarding?
• What is a VPN (Virtual Private Network)?
• What is a IPsec?
• What is a ISAKMP?
• What is a IKE?
• What is TLS (Transport Layer Security)?
• What is a TCP sequence prediction attack?
• What is packet fragmentation?
• What are possible defenses against a botnet attack?
• What is a honeypot?
• What is a Denial of Service (DoS) attack?
• What is IP address spoofing?
• What is cyber-warfare?
• What is identity management?
• What is federated identity management?
• What is single sign-on?
• What is role based access control?
• What is AAA?
• What is authentication?
• What is authorization?
• What is accounting?
• What is RADIUS?
• What is SAML?
• What is Kerberos?
• What is LDAP?
• What security issues does LDAP have?
• What is two factor authentication?
• What are biometrics?
• What is a honey monkey?
• What are the rainbow books?
• How do I disable the XP firewall?
• What are the main online security threats?
• How do I disable the Netgear Router firewall?
• What is Cisco VPN error 412?
• What is Peer Guardian?
• What is a RADIUS Server?
• What is Access Control?
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

What is Packet Fragmentation?

Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit.

Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.

Packet Headers

Every IP packet has an IP (Internet Protocol) header which stores information about the packet, including:

• Version
• IHL
• Type of Service
• Total Length
• Identification
• Flags
• Fragment Offset
• Time to Live
• Protocol
• Header Checksum
• Source Address
• Destination Address
• Options

Note: For more information on the IP header, see RFC 791 - Internet Protocol.

Three of these fields are involved in packet fragmentation.

• Identification
• Flags
• Fragment Offset

Identification: 16 bits

An identifying value assigned by the sender to aid in assembling the fragments of a datagram.

Flags: 3 bits

Various Control Flags.

Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.

  0   1   2
+---+---+---+
|   | D | M |
| 0 | F | F |
+---+---+---+

Fragment Offset: 13 bits

This field indicates where in the datagram this fragment belongs.

The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero.

Much like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:

• Source Port
• Destination Port
• Sequence Number
• Acknowledgement Number
• Data Offset
• Flags
• Window
• Checksum
• Urgent Pointer
• Options
• Padding

Note: For more information on the TCP header, see RFC 793 - Transmission Control Protocol.

A Packet Fragmentation Example

If a 2,366 byte packet enters an Ethernet network with a default MTU size, it must be fragmented into two packets.

The first packet will:

• Be 1,500 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data.

• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."

• Have a Fragmentation Offset of 0.

The second packet will:

• Be 910 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data.

• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment."

• Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).

The Packet Fragmentation Attack

Packet fragmentation can be utilized to get around blocking rules on some firewalls.

This is done by cheating with the value of the Fragment Offset. The trick is to set the value of the Fragment Offset on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.

Let's say you want to `telnet` into a network where TCP port 23 is blocked by a packet filtering firewall. However, SMTP port 25 is allowed into that network.

What you would do is to send two packets:

The first packet would:

• Have a Fragmentation Offset of 0.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."

• Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.

The second packet would:

• Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.

• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment."

• Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!

The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.

When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

Free White Papers on Networking

Vulnerability Management for Dummies

Our friends at Qualys are offering free copies of the electronic version of Vulnerability Management for Dummies to Tech-FAQ readers. Vulnerability Management for Dummies: Explains the critical need for vulnerability management Details the essential best-practice steps of a successful vulnerability management program Outlines the various vulnerability management solutions - including the advantages and disadvantages of each Highlights the award-winning QualysGuard vulnerability management solution Provides a ten point checklist for removing vulnerabilities from your key resources

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum