Showing results for 
Search instead for 
Did you mean: 
Level 10

How to detect the source of IP fragments

Hi, Recently we have several alerts from Too Many IP Fragments, we are changing the threshold in th DoS Policy, but i need to see where is the source of all ip fragments, inside the alert only see the stadistical but no the source-destination IP address.

0 Kudos
1 Reply
Level 10

Re: How to detect the source of IP fragments

For dos alerts like this, it gets tricky.  You sometimes may see a bucket of IP addresses in the Alert details, however since this is a threshold based alert, drilling in deeper is often not possible.

Older versions of software allowed you to route DOS packets out a Sensor response port where you could capture via laptop/wireshark, however I beleive newer versions have dropped this feature since no one ever used it.   Newer M-series (2750 and higher) on version 6.x support packet capture from a spare span port on the sensor.  You could use this feature to capture a sample of traffic to isolate closer, or do a port monitor off a cisco swtich close to the sensor.

Lastly, you may try re-learining your DoS profile.  If the fragmentation level is constant, the sensor will relearn the networks baseline, and these alerts will gradually fade away.

0 Kudos