My friend was testing ip fragmentation attacks on linux. So we had to witness ip fragmentation effect first. As we know, an IP packet can carry a total packet length of 65535(2^16 - 1) bytes. But since, data link layer(ethernet) frames can only carry maximum data size of 1500(MTU) bytes, IP has to fragment the packet if its length is greater than MTU. Out of 1500 bytes, IP’s header will itself occupy 20 bytes. We are left with 1480 bytes of data. Since we are using ping(which internally uses ICMP), 8 bytes are used by ICMP for its header. ¬†We are left with 1472 bytes, which is the maximum data size that can be sent using ping.

Ethernet frame format Fig1 Ethernet frame format

IP packet format Fig2 IP packet format

ICMP frame format Fig3 ICMP frame format

Note: To check MTU of interface eth0, type

ifconfig eth0

This is the ip we will be using throughout this test,


Run tcpdump in another terminal to keep track of transmission,

tcpdump -i wlan0 icmp -vvv

Now let us test the connection,

ping $EXIP -s 1472 -c 1

tcpdump reports that the packet has been sent,

01:58:05.960968 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 1500)  
prompt > vinit-PC.local: ICMP echo request, id 15530, seq 1, length 1480  

When we try to send a packet with packet size greater than MTU and don’t fragment flag set,

ping $EXIP -s 1473 -M do -c 1

tcpdump remains silent because no packets are being sent. Lets see the output of ping and infer what has happened,

PING ( 1473(1501) bytes of data.  
From icmp_seq=1 Frag needed and DF set (mtu = 1500)  

--- ping statistics ---  
0 packets transmitted, 0 received, +1 errors  

This shows that if we try to send a packet with size greater than MTU and don’t fragment bit set, ping replies that it can’t send the packet. Now let us try to send the same packet with don’t fragment bit unset,

ping $EXIP -s 1473 -c 1
02:02:33.141005 IP (tos 0x0, ttl 64, id 31043, offset 0, flags [+], proto ICMP (1), length 1500)
teja-laptop.local > vinit-PC.local: ICMP echo request, id 15540, seq 1, length 1480
02:02:33.141134 IP (tos 0x0, ttl 64, id 31043, offset 1480, flags [none], proto ICMP (1), length 21)
teja-laptop.local > vinit-PC.local: icmp

Voila! The packet has been fragmented. As you can see, IP layer has fragmented the packet into two fragments. The first fragment has offset 0, id 31043 and length 1500. The second packet has the same id as the first but the offset shows where exactly this fragment fits into in the original packet. The data length of second packet is only 21(IP header + remaining 1 byte). Finally “flags [+]” in first packet means that there are more fragments yet to arrive while “flags [none]” in second packet means this is the last fragment.