Hi, Recently we have several alerts from Too Many IP Fragments, we are changing the threshold in th DoS Policy, but i need to see where is the source of all ip fragments, inside the alert only see the stadistical but no the source-destination IP address.
For dos alerts like this, it gets tricky. You sometimes may see a bucket of IP addresses in the Alert details, however since this is a threshold based alert, drilling in deeper is often not possible.
Older versions of software allowed you to route DOS packets out a Sensor response port where you could capture via laptop/wireshark, however I beleive newer versions have dropped this feature since no one ever used it. Newer M-series (2750 and higher) on version 6.x support packet capture from a spare span port on the sensor. You could use this feature to capture a sample of traffic to isolate closer, or do a port monitor off a cisco swtich close to the sensor.
Lastly, you may try re-learining your DoS profile. If the fragmentation level is constant, the sensor will relearn the networks baseline, and these alerts will gradually fade away.