Ethereal-users: [Ethereal-users] Fragment reassembly in the face of an adversary

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Sebastien Rosset" <srosset@xxxxxxxxxxxxxxxx>
Date: Thu, 19 Jan 2006 11:39:57 -0800

What is the IP & TCP reassembly policy implemented by Ethereal? There is some documentation at http://wiki.ethereal.com/IP_Reassembly?highlight=%28assembly%29 but I could not find algorithm details when there are out-of-order, lost or duplicate packets. The Ethereal wish list includes an item that suggests reassembly does not work for out-of-order packets (?).

 

Operating systems use different reassembly algorithms (e.g. BSD, BSD-right, first, Linux…) so an adversary could exploit these variations to avoid detection. One consequence is that the TCP stream reassembled by Ethereal might not be the same as what the target operating system reassembled. Other techniques listed in the paper at http://www.icir.org/vern/papers/activemap-oak03.pdf might be used too. Ethereal is not an IDS but it might be used to analyze malicious traffic, so it would be useful to understand what reassembly policy is implemented. Ideally the Ethereal user would be able to select the reassembly policy.

 

Thank you and sorry if this has already been discussed elsewhere.

Sebastien