[Snort-users] Tiny Fragments

Dragos Ruiu dr at ...50...
Sat Oct 7 00:51:02 EDT 2000

On Fri, 06 Oct 2000, you wrote:
> On Fri, 6 Oct 2000, Dragos Ruiu wrote:
> > Fragmentation was originally meant to handle mediation between
> > devices with different MTU while the higher layer algorithms hunt 
> > around for optimized values.  I've never really seen any net devices
> > with MTUs smaller than 512 bytes/characters... (ATM 53 byte cells
> > included because they have their own SAR function).
> What about a Telnet connection, where one byte of data is sent
> with each keystroke?  Or SYN/SYN-ACK and RST packets are all
> smaller then 128 bytes.  I must be missing how you are 
> implementing this.  Should a fragment preproccessor be looking
> for something smaller the 40 bytes?
> Just trying to learn.

No worries... no such thing as stupid questions, just stupid answers. :-)

The answer to that puzzle is that such small packets shouldn't be segmented
in the first place.  Segmentation is used by network equipment to
stuff big packets into physical layers that only support smaller packet 
sizes or buffers (I.e. a GigE 64k monstergram into 1500byte 100BaseT
frames).  Those small packets from apps like telnet should squeak
through without getting segmented/fragmented/sliced-apart at all.


Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-users mailing list