RE: Remote IDS Testing - Config question

I have had some luck with getting this 'system' built but have not successfully captured fragmented traffic. I am tyring to create a system that fragments any traffic passing across a linux machine set up as a router. As a result I have created the following network:

a) Dual NIC system running Knoppix Auditor.
eth0 connected through hub to router-'internet'(10.x.x.x).
eth1 ( connected via x-over to "internal" ( PC
Knoppix set up as router to internet.

b) Internal (Client) PC running Windows - or - Linux

c) 3rd machine running Ethereal captures off the eth0 hub.

With no fragmentation involved I can reach the web server on the 'internet' side with no problem. When I run Fragrouter I see the fragments being generated in the console window and the client machine experiences a definite impact as a result. However, ethereal captures from the client, the eth1 hub, and on the knoppix box itself do not list any IP FRAGMENTS - I see lots of retrans and lost packets but nothing that indicates that ethereal was seeing fragmented packets. It 'has' been a while since I had to work at the packet level but I thought I remembered ethereal listing such traffic as "IP FRAGMENT". Go ahead and "Learn me" something if I am mistaken please!

The only thing I notice is that when I run "fragrouter -i eth1 -F2" I can see the fragmentation listed in console but if I use "fragrouter -i eth0 -F2" nothing happens. I would think that I should want to fragment traffic going through eth0 if I want to pick it up off the hub ... I can guess that the problem lies in my routing configuration on the knoppix (auditor) machine but can't think of what to change to make it work. Any thoughts?


Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.