RE: Remote IDS Testing - Config question



I have had some luck with getting this 'system' built but have not successfully captured fragmented traffic. I am tyring to create a system that fragments any traffic passing across a linux machine set up as a router. As a result I have created the following network:

a) Dual NIC system running Knoppix Auditor.
eth0 connected through hub to router-'internet'(10.x.x.x).
eth1 (172.16.2.1) connected via x-over to "internal" (172.16.2.2) PC
Knoppix set up as router to internet.

b) Internal (Client) PC running Windows - or - Linux

c) 3rd machine running Ethereal captures off the eth0 hub.

With no fragmentation involved I can reach the web server on the 'internet' side with no problem. When I run Fragrouter I see the fragments being generated in the console window and the client machine experiences a definite impact as a result. However, ethereal captures from the client, the eth1 hub, and on the knoppix box itself do not list any IP FRAGMENTS - I see lots of retrans and lost packets but nothing that indicates that ethereal was seeing fragmented packets. It 'has' been a while since I had to work at the packet level but I thought I remembered ethereal listing such traffic as "IP FRAGMENT". Go ahead and "Learn me" something if I am mistaken please!

The only thing I notice is that when I run "fragrouter -i eth1 -F2" I can see the fragmentation listed in console but if I use "fragrouter -i eth0 -F2" nothing happens. I would think that I should want to fragment traffic going through eth0 if I want to pick it up off the hub ... I can guess that the problem lies in my routing configuration on the knoppix (auditor) machine but can't think of what to change to make it work. Any thoughts?

Hank

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------