How would I determine what packet is causing the direct attack of a teardrop attack. I'm using the Wireshark capture from Wireshark wiki: teardrop.cap
How would I analyze this capture to determine the source IP address of the attack and the destination's IP address?
asked 23 Jan '12, 21:00
edited 25 Jan '12, 02:24
If you load the referenced capture and take a look at frame 8 and 9 you'll see that frame 8 contains an IP fragment with a payload of 36 bytes long. The next fragment would, logically, be starting at offset 36. But if you look at frame 9 it says that this IP fragment starts at offset 24. This overlap is the essence of the teardrop attack.
So the question 'what packet' is causing the attack is inaccurate. It's the use of the fragmentation feature in the IP header that allows for this. In this case the combination of the IP fragment in frame 8 (the setup) and in frame 9 (the hit) are the attack.
If you are looking at the source and destination address, look at the IP header of these fragments, although the source address might be spoofed as well.
answered 24 Jan '12, 04:37