[Snort-users] DF and MF

Andreas Östling andreaso at ...236...
Mon Apr 7 00:39:02 EDT 2003


On Sat, 5 Apr 2003, Jeff Nathan wrote:

> Linux PMTU discovery will set DF on a packet with MF already set.  It's
> anomalous but the Linux folks tend to disagree.
...

Some (all?) Solaris boxes like to set MF + DF as well.
Here is a fragmented ping to a Solaris box:

04/06-08:38:03.624114 10.0.0.1 -> 192.168.0.1
ICMP TTL:255 TOS:0x0 ID:9889 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x0000   Frag Size: 0x05C8

04/06-08:38:03.624117 10.0.0.1 -> 192.168.0.1
ICMP TTL:255 TOS:0x0 ID:9889 IpLen:20 DgmLen:548
Frag Offset: 0x00B9   Frag Size: 0x0157

04/06-08:38:03.625745 192.168.0.1 -> 10.0.0.1
ICMP TTL:254 TOS:0x0 ID:18581 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0000   Frag Size: 0x05C8

04/06-08:38:03.625792 192.168.0.1 -> 10.0.0.1
ICMP TTL:254 TOS:0x0 ID:18581 IpLen:20 DgmLen:548 DF
Frag Offset: 0x00B9   Frag Size: 0x0157


/Andreas




More information about the Snort-users mailing list