Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / INTERNET LAYER / IP

IP Fragmentation

Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph

Goal

An attacker splits packets into multiple IP fragments to:

  • Bypass simple firewalls
  • Evade IDS/IPS
  • Obfuscate TCP flags (e.g., SYN scan)

Instead of one clean TCP SYN, you see:

IP Fragment 1
IP Fragment 2
IP Fragment 3

Filters

---------------------------------------------------------------------------------

# Fragmentation + Port Sweep Pattern
(ip.flags.mf == 1 || ip.frag_offset > 0) && tcp

→ Add Destination Port column
→ Sort by time
→ Look for rapid port changes from same source

---------------------------------------------------------------------------------

# Get ALL
ip.flags.mf == 1 || ip.frag_offset > 0

---------------------------------------------------------------------------------

# Only first fragments
ip.flags.mf == 1 && ip.frag_offset == 0

---------------------------------------------------------------------------------

# Non-first fragments (no TCP header)
ip.frag_offset > 0

---------------------------------------------------------------------------------

# Suspicious tiny fragments
ip.len < 100 && (ip.flags.mf == 1 || ip.frag_offset > 0)

---------------------------------------------------------------------------------

# SYN fragments (possible scanning)
ip.flags.mf == 1 && ip.frag_offset == 0 && tcp.flags.syn == 1

---------------------------------------------------------------------------------

# Bursts of RST (possible scanning)
tcp.flags.reset == 1

---------------------------------------------------------------------------------

Overlapping Fragments

Fragmented packets where:

  • TTL unusually low
  • Overlapping fragments
  • Weird fragment offsets
ip.fragment.overlap == 1

Killchain

  • Attacker initiates reconnaissance against target host
  • Sends TCP SYN packets split into multiple IP fragments
  • First fragment contains TCP header (SYN flag)
  • Subsequent fragments carry remaining payload (no TCP flags visible)
  • Fragments may be unusually small (MTU evasion)
  • Packets are sent rapidly across multiple destination ports
  • Target responds with RST (closed ports) or SYN-ACK (open ports)
  • Attacker collects port state results
  • Scan completes with fragmented traffic intended to evade IDS/firewall inspection