• Main Menu
  • Packet Fragmentation


    Every packet based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet that that network can transmit.

    Packets larger than the allowable MTU must be divided into smaller packets or fragments to enable them to traverse the network.

    Network Standard MTU
    Ethernet 1500
    Token Ring 4096

    Packet Headers

    Every IP packet has an IP (Internet Protocol) header that stores information about the packet, including:

    • Version
    • IHL
    • Type of Service
    • Total Length
    • Identification
    • Flags
    • Fragment Offset
    • Time to Live
    • Protocol
    • Header Checksum
    • Source Address
    • Destination Address
    • Options

    Note: For more information on the IP header, see RFC 791 – Internet Protocol.

    Three of these fields are involved in packet fragmentation.

    • Identification
    • Flags
    • Fragment Offset

    Identification: 16 bits

    An identifying value that the sender assigns to aid in assembling a datagram’s fragments.

    Flags: 3 bits

    Various Control Flags.

    Bit 0: reserved, must be zero
    Bit 1: (DF) 0 = May Fragment, 1 = Don’t Fragment.
    Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.

     0 1 2
    +---+---+---+
    | | D | M |
    | 0 | F | F |
    +---+---+---+

    Fragment Offset: 13 bits

    This field indicates where in the datagram this fragment belongs.

    The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero.

    Much like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:

    • Source Port
    • Destination Port
    • Sequence Number
    • Acknowledgement Number
    • Data Offset
    • Flags
    • Window
    • Checksum
    • Urgent Pointer
    • Options
    • Padding

    Note: For more information on the TCP header, see RFC 793 – Transmission Control Protocol.

    A Packet Fragmentation Example

    If a 2,366 byte packet enters an Ethernet network with a default MTU size, it must be fragmented into two packets.

    The first packet will:

    • Be 1,500 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data.
    • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 1 to mean “More Fragments.”
    • Have a Fragmentation Offset of 0.

    The second packet will:

    • Be 910 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data.
    • Have the DF bit equal to 0 to mean “May Fragment” and the MF bit equal to 0 to mean “Last Fragment.”
    • Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).

    The Packet Fragmentation Attack

    Packet fragmentation can be utilized to get around blocking rules on some firewalls.

    This is done by cheating with the value of the Fragment Offset. The trick is to set the Fragment Offset’s value on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.

    If someone wants to `telnet` into a network where a packet filtering firewall blocks TCP port 23, SMTP port 25 is allowed into that network.

    The user would have to send two packets:

    The first packet would:

    • Have a Fragmentation Offset of 0.
    • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 1 to mean “More Fragments.”
    • Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.

    The second packet would:

    • Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.
    • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 0 to mean “Last Fragment.”
    • Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!

    The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.

    When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

    Got Something To Say:

    Your email address will not be published. Required fields are marked *

    8 comments
    1. Anil

      20 November, 2015 at 10:42 pm

      Just the first packet will have layer-4 info.. Fragmented packets will only contain the payload..

      Reply
    2. Nick

      13 June, 2014 at 11:05 pm

      “Have a Fragmentation Offset of 1. This means that the second packet
      would actually overwrite everything but the first 8 bits of the first
      packet.”

      According to RFC 791 for IP, the fragment offset is measured in units of 8 octets (64 bits), not 8 bits.

      Reply
      • WillSpencer

        13 June, 2014 at 11:12 pm

        Great catch! Thanks!

        Reply
    3. Namo

      8 June, 2014 at 10:16 am

      Thanks for the concise, to- the-point explanation.

      Reply
    4. Mike G

      17 January, 2014 at 12:31 am

      Awesome explanation.

      Reply
    5. hyp37

      11 July, 2013 at 1:58 pm

      thanks 4 information…

      its’ help me, studies of CEH.. about IP Fragmentation tool.. (ex: Fragtest or fragroute).
      ^_^

      Reply
    6. harald

      28 July, 2011 at 8:09 am

      nicely written, but wrong: the second packet will NOT contain a TCP header, thats the whole point of layers….
      and, btw, in reality all TCP stacks set DF=1 to trigger MTU path discovery and avoid fragmentation

      Reply
    7. Harald

      28 July, 2011 at 8:07 am

      Nich explanation, but factually wrong:
      a) the second packet will NOT contain a TCP header
      b) all TCP stacks will set the DF=1, hence triger an MTU path discovery

      Reply
    Network Security
    179 queries in 0.515 seconds.