This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark teardrop attack help


How would I determine what packet is causing the direct attack of a teardrop attack. I'm using the Wireshark capture from Wireshark wiki: teardrop.cap

How would I analyze this capture to determine the source IP address of the attack and the destination's IP address?

asked 23 Jan '12, 21:00

ssams5's gravatar image

accept rate: 0%

edited 25 Jan '12, 02:24

Jaap's gravatar image

Jaap ♦

One Answer:


If you load the referenced capture and take a look at frame 8 and 9 you'll see that frame 8 contains an IP fragment with a payload of 36 bytes long. The next fragment would, logically, be starting at offset 36. But if you look at frame 9 it says that this IP fragment starts at offset 24. This overlap is the essence of the teardrop attack.

So the question 'what packet' is causing the attack is inaccurate. It's the use of the fragmentation feature in the IP header that allows for this. In this case the combination of the IP fragment in frame 8 (the setup) and in frame 9 (the hit) are the attack.

If you are looking at the source and destination address, look at the IP header of these fragments, although the source address might be spoofed as well.

answered 24 Jan '12, 04:37

Jaap's gravatar image

Jaap ♦
accept rate: 14%

thanks for getting back to my question so quick. When I was analyzing the capture, I assumed the first 5 (loop) packets were the attack, so I guess I was wrong in this sense.

Looking for the source and destination, would I not look at the last couple of packets (the ping packets)?

(24 Jan '12, 14:38) ssams5

Why would they be related? It could be. It could be the attacker checking for success, but there is no way to tell for sure.

(25 Jan '12, 02:24) Jaap ♦