1 Reply Latest reply on Sep 8, 2011 1:48 PM by SGROSSEN

    How to detect the source of IP fragments


      Hi, Recently we have several alerts from Too Many IP Fragments, we are changing the threshold in th DoS Policy, but i need to see where is the source of all ip fragments, inside the alert only see the stadistical but no the source-destination IP address.

        • 1. Re: How to detect the source of IP fragments

          For dos alerts like this, it gets tricky.  You sometimes may see a bucket of IP addresses in the Alert details, however since this is a threshold based alert, drilling in deeper is often not possible.


          Older versions of software allowed you to route DOS packets out a Sensor response port where you could capture via laptop/wireshark, however I beleive newer versions have dropped this feature since no one ever used it.   Newer M-series (2750 and higher) on version 6.x support packet capture from a spare span port on the sensor.  You could use this feature to capture a sample of traffic to isolate closer, or do a port monitor off a cisco swtich close to the sensor.


          Lastly, you may try re-learining your DoS profile.  If the fragmentation level is constant, the sensor will relearn the networks baseline, and these alerts will gradually fade away.