Exercise 1 \u2013 Analyzing the First Two IP Fragments<\/h3>\n\n\n\n
Look at the first two records. They are related fragments and are the only ones associated with this pair of fragments. What do you think happens when they are sent?<\/strong><\/p>\n\n\n\n After identifying the first two packets as related IP fragments, I needed to confirm whether the full set of fragments was present. I used the following Both packets showed more fragments flag set<\/strong> (flags [+]), but neither was marked as the last fragment<\/strong> (with offset and MF flag = 0). This means that the packet reassembly could not be completed, as at least one fragment was missing from the set.<\/p>\n\n\n\n To see how the system reacts to this failed reassembly, I looked for an ICMP error message<\/strong> that might be triggered by this condition. I ran:<\/p>\n\n\n\n Sure enough, shortly after the two fragment packets, I found an ICMP \u201cTime Exceeded \u2013 Fragment Reassembly Time Exceeded\u201d<\/strong> message. This type of ICMP error is sent when the receiver cannot finish reassembling a fragmented IP packet within the allowed time window.<\/p>\n\n\n\n The error response appeared in record 14<\/strong>, indicating the network’s handling of incomplete fragmentation and how it alerts the sender when reassembly fails.<\/p>\n\n\n\n Why didn\u2019t records 3 and 4 (a different pair of related fragments) generate the same type of ICMP error message?<\/strong><\/p>\n\n\n\n To answer this, I examined the fragmentation details of records 3 and 4<\/strong>. Although they represent another pair of related fragments, neither one has a fragment offset of 0<\/strong>. The packet corresponding to the third record has an offset of 1480. This is important because only the first fragment (offset 0)<\/strong> contains the protocol field<\/strong>, which identifies the embedded protocol (like ICMP, TCP, etc.).<\/p>\n\n\n\n Without that first fragment, the receiving system can\u2019t determine what protocol the original datagram was using. As a result, it doesn\u2019t send an ICMP \u201cFragment Reassembly Time Exceeded\u201d<\/strong> message, since it lacks the context needed to generate one.<\/p>\n\n\n\n In this exercise, I analyzed packets 5, 6, and 7<\/strong>, which appeared to be related fragments. At first glance, they looked like they might belong to a single fragmented IP packet, but something unusual stood out.<\/p>\n\n\n\n Fragment Overlap Issue<\/strong> This kind of fragment overlap can be interpreted differently depending on the operating system<\/strong>, making it a potential tactic for evasion or exploitation. Some systems may discard the entire packet, while others may accept whichever version arrives first or last.<\/p>\n\n\n\n Suspicious IP Options<\/strong> What makes you believe that the set of fragments in records 8\u201313 (IP ID 31026) have been crafted? Identify five abnormal traits.<\/strong><\/p>\n\n\n\n Upon analyzing these packets, it became clear that these fragments were likely intentionally crafted<\/strong> rather than the result of legitimate fragmentation. I identified several suspicious traits that support this conclusion:<\/p>\n\n\n\n In this exercise, I used a tcpdump<\/strong> filter to try and identify all fragments related to ICMP echo requests<\/strong> (type 8). The command provided was:<\/p>\n\n\n\n Why don’t we see all the fragments associated with the echo requests ?<\/strong><\/p>\n\n\n\n Only fragments with an offset of 0<\/strong> include the ICMP header<\/strong> (which contains the type field). Subsequent fragments\u2014those with a non-zero offset\u2014contain only payload data<\/strong>, not the protocol header. As a result, the filter doesn’t match those fragments, because the ICMP type field isn\u2019t present in their portion of the packet.<\/p>\n\n\n\n To capture all fragments<\/strong> of a given ICMP echo request, I would need to filter by IP ID<\/strong> (the identifier field) rather than by protocol fields. That\u2019s because all fragments of a packet share the same IP ID, allowing me to track the complete set regardless of whether they include the ICMP header.<\/p>\n","protected":false},"excerpt":{"rendered":" IP Fragmentation Lab \u2013 Overview and Setup This lab focused on exploring the behavior and structure of IP fragmentation. The exercises require close analysis of fragmented IP packets using either Wireshark or tcpdump. Exercise 1 \u2013 Analyzing the First Two IP Fragments Look at the first two records. They are related fragments and are the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7,6],"class_list":["post-107","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ipv4","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=107"}],"version-history":[{"count":5,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/107\/revisions"}],"predecessor-version":[{"id":119,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/107\/revisions\/119"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}tcpdump<\/code> command to examine fragmentation details more closely:<\/p>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-32.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-33-1024x577.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-34.png\")
<\/figure>\n\n\n\nExercise 2 \u2013 Identifying Fragment Overlap and Suspicious Packet Behavior<\/h3>\n\n\n\n
Packets 5 and 6<\/strong> both have a fragment offset of 0<\/strong>, meaning they are both marked as the first fragment<\/strong>. However, they have different total lengths<\/strong>, which would cause them to overlap<\/strong> if processed together. Packet 7<\/strong> appears to be the final fragment in this set, but it overlaps with packet 6 based on its offset and length.<\/p>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-35-1024x119.png\")
<\/figure>\n\n\n\n
I also noticed that all three packets contained IP options<\/strong>, which are uncommon in typical traffic and can signal malicious activity. Specifically, the packets include type 131 IP options<\/strong>, which are often used to route packets through specific network paths. This could be an attempt to bypass firewalls, intrusion detection systems, or route traffic through an attacker-controlled device<\/strong>.<\/p>\n\n\n\nExercise 3 \u2013 Spotting Crafted Fragment Sets<\/h3>\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-36.png\")
<\/figure>\n\n\n\n\n
Exercise 4 \u2013 Filtering for ICMP Echo Request Fragments<\/h3>\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-37.png\")
<\/figure>\n\n\n\n