[Snort-users] bad frag bits

Matt Kettler mkettler at ...4108...
Tue Nov 25 08:11:13 EST 2003


At 04:00 PM 11/24/2003, Samuel C. Adams wrote:
>Usually these udp packets are fairly large and it's possible they have
>to travel over a link with low MTU at some point. Is it possible to fragment
>packets if the don't fragment bit is set?

Yes it's possible.. it's not RFC compliant, but it is possible.

>Are there routers out there that do that?

Yes.


>I thought routers were supposed to send ICMP code 3 type 4 messages
>(Fragmentation Needed and Don't Fragment was Set) if they are forced to
>deal with packets out that are too large. Is that not always the case?

No it's not always the case.. there are a lot of broken IP stacks out there. 





More information about the Snort-users mailing list