Only the first fragment holds the UDP header. The rest just have IP headers
and bytes that follow. The IP Protocol Type would say that this is UDP, but
you won't see any UDP data, so an access list based on UDP port numbers
wouldn't catch these.
Here's an example. Don't let your eyes glaze over. Really look at it: ;-)
Here's the first frame. Notice it is UDP/RPC. RPC thinks there are 8268
bytes. IP says there are only 1268 bytes. The Sniffer tells us at the IP
layer that there are 7 frames. (That's not really in the packet; it's just
Sniffer output to help you understand.) Sniffer also tells us that from the
DLC viewpoint, there are 1282 bytes. See if you can figure out where that
number comes from.
DLC: ----- DLC Header -----
DLC:
DLC: [frame size is 1282 (0502 hex) bytes.]
DLC: Destination = Station Sun 07D347
DLC: Source = Station Apollo01368B
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1268 bytes
IP: Identification = 52620
IP: Flags = 2X
IP: .0.. .... = may fragment
IP: ..1. .... = more fragments
IP: Fragment offset = 0 bytes
IP: Time to live = 29 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = AAEC (correct)
IP: Source address = [15.1.130.124]
IP: Destination address = [111.0.0.3]
IP: No options
IP:
IP: [Multi-Frame IP data, Frames: 1, 2, 3, 4, 5, 6, 7]
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 2049 (Sun RPC)
UDP: Destination port = 1023
UDP: Length = 8316
UDP: Checksum = 53FC (correct)
UDP: [8308 byte(s) of data]
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 635368644
RPC: Type = 1 (Reply)
RPC: Status = 0 (Accepted)
RPC: Verifier: authorization flavor = 2 (Short)
RPC: [Verifier: 16 byte(s) of authorization data]
RPC: Accept status = 0 (Success)
RPC: [8268 bytes of data present]
RPC:
OK, here's the second frame. See if you can figure out how the Sniffer
knows that this goes with the first frame.
Frames 2-7 look essentially like this, so I won't show them all to you,
although the 7th frame is shorter than the others because there wasn't a
full packet's worth of data left. See if you can figure out how long the
7th frame was.
DLC: ----- DLC Header -----
DLC:
DLC: [frame size is 1282 (0502 hex) bytes.]
DLC: Destination = Station Sun 07D347
DLC: Source = Station Apollo01368B
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1268 bytes
IP: Identification = 52620
IP: Flags = 2X
IP: .0.. .... = may fragment
IP: ..1. .... = more fragments
IP: Fragment offset = 1248 bytes
IP: Time to live = 29 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = AA50 (correct)
IP: Source address = [15.1.130.124]
IP: Destination address = [111.0.0.3]
IP: No options
IP:
IP: [1248 bytes of data continuation of IP ident = 52620]
IP:
Cool, eh? You can learn a lot from looking at IP fragments. By the way,
this wasn't a router fragmenting, although it would look exactly the same
if it were. In this case the source session layer (RPC) tried to send way
more data than IP could send and IP fragmented at the outset.
Priscilla
At 03:19 AM 12/6/01, Danny Rising II wrote:
>-----Original Message-----
>From: Danny Rising II [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, December 06, 2001 3:12 AM
>To: [EMAIL PROTECTED]
>Subject: UDP question
>
>
>OK guys, I am running into a little problem in my CCIE Written study. I have
>two different testing Engines and they have both gave me the same question
>but different answers on both tests. Does anyone know what the correct
>answer should be, here is the question they are asking.
>
>Which statement is true when a UDP packet has to be fragmented?
>A. only the first fragment has the UDP header
>B. All fragments hold the UDP header, so that access lists that look at the
>port would be usable
>C. The first fragment holds only the UDP header, not the UDP data. The UDP
>data is transmitted in the subsequent fragments.
>D. None of the Above.
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=28307&t=28263
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
