Have you looked at snort?
It's on my todo list. I thought it was only an IDS. Does it also reassemble fragments?
snort does fragment and stream reassembly as part of its IDS function.
Just be very careful to get the latest version, because the reassembly stuff has been worked on, and especially because earlier versions have the recently announced RPC decoder vulnerability that can give you a bad case of remote root compromise. In fact, I don't even know if a patched version is available yet.
Speaking more generally, fragment reassembly is a tricky business because it's hard to do without opening yourself up to fragment-based denial of service conditions.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
