Ethereal-users: [Ethereal-users] Fragment reassembly in the face of an adversary
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
What is the IP & TCP reassembly policy implemented by
Ethereal? There is some documentation at http://wiki.ethereal.com/IP_Reassembly?highlight=%28assembly%29
but I could not find algorithm details when there are out-of-order, lost or
duplicate packets. The Ethereal wish list includes an item that suggests
reassembly does not work for out-of-order packets (?).
Operating systems use different reassembly algorithms (e.g.
BSD, BSD-right, first, Linux…) so an adversary could exploit these
variations to avoid detection. One consequence is that the TCP stream
reassembled by Ethereal might not be the same as what the target operating
system reassembled. Other techniques listed in the paper at http://www.icir.org/vern/papers/activemap-oak03.pdf
might be used too. Ethereal is not an IDS but it might be used to analyze
malicious traffic, so it would be useful to understand what reassembly policy
is implemented. Ideally the Ethereal user would be able to select the
reassembly policy.
Thank you and sorry if this has already been discussed
elsewhere.
Sebastien
|