This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How would I determine what packet is causing the direct attack of a teardrop attack. I'm using the Wireshark capture from Wireshark wiki: teardrop.cap

How would I analyze this capture to determine the source IP address of the attack and the destination's IP address?

asked 23 Jan '12, 21:00

ssams5's gravatar image

ssams5
1111
accept rate: 0%

edited 25 Jan '12, 02:24

Jaap's gravatar image

Jaap ♦
11.7k16101


If you load the referenced capture and take a look at frame 8 and 9 you'll see that frame 8 contains an IP fragment with a payload of 36 bytes long. The next fragment would, logically, be starting at offset 36. But if you look at frame 9 it says that this IP fragment starts at offset 24. This overlap is the essence of the teardrop attack.

So the question 'what packet' is causing the attack is inaccurate. It's the use of the fragmentation feature in the IP header that allows for this. In this case the combination of the IP fragment in frame 8 (the setup) and in frame 9 (the hit) are the attack.

If you are looking at the source and destination address, look at the IP header of these fragments, although the source address might be spoofed as well.

permanent link

answered 24 Jan '12, 04:37

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

thanks for getting back to my question so quick. When I was analyzing the capture, I assumed the first 5 (loop) packets were the attack, so I guess I was wrong in this sense.

Looking for the source and destination, would I not look at the last couple of packets (the ping packets)?

(24 Jan '12, 14:38) ssams5

Why would they be related? It could be. It could be the attacker checking for success, but there is no way to tell for sure.

(25 Jan '12, 02:24) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×549
×48
×1

question asked: 23 Jan '12, 21:00

question was seen: 7,889 times

last updated: 25 Jan '12, 02:24

p​o​w​e​r​e​d by O​S​Q​A