1 Reply Latest reply on Sep 8, 2011 1:48 PM by SGROSSEN

    How to detect the source of IP fragments

    bperez

      Hi, Recently we have several alerts from Too Many IP Fragments, we are changing the threshold in th DoS Policy, but i need to see where is the source of all ip fragments, inside the alert only see the stadistical but no the source-destination IP address.

        • 1. Re: How to detect the source of IP fragments
          SGROSSEN

          For dos alerts like this, it gets tricky.  You sometimes may see a bucket of IP addresses in the Alert details, however since this is a threshold based alert, drilling in deeper is often not possible.

           

          Older versions of software allowed you to route DOS packets out a Sensor response port where you could capture via laptop/wireshark, however I beleive newer versions have dropped this feature since no one ever used it.   Newer M-series (2750 and higher) on version 6.x support packet capture from a spare span port on the sensor.  You could use this feature to capture a sample of traffic to isolate closer, or do a port monitor off a cisco swtich close to the sensor.

           

          Lastly, you may try re-learining your DoS profile.  If the fragmentation level is constant, the sensor will relearn the networks baseline, and these alerts will gradually fade away.