frag6 takes it parameters as command-line options. Each of the options can be specified with a short name
(one character preceded with the hyphen character, as e.g. "-i") or with a long name (a string preceded
with two hyphen characters, as e.g. "--interface").
-iINTERFACE,--interfaceINTERFACE
This option specifies the network interface that the tool will use. If the destination address
("-d" option) is a link-local address, the interface must be explicitly specified. The interface
may also be specified along with a destination address, with the "-d" option.
-SSRC_LINK_ADDR,--src-link-addressSRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets. If left unspecified, the
link-layer Source Address of the packets is set to the real link-layer address of the network
interface.
-DDST_LINK_ADDR,--dst-link-addressDST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets. By default, the
link-layer Destination Address is automatically set to the link-layer address of the destination
host (for on-link destinations) or to the link-layer address of the first-hop router.
-sSRC_ADDR,--src-addressSRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the Source Address
of the outgoing packets. If an IPv6 prefix is specified, the IPv6 Source Address of the outgoing
packets will be randomized from that prefix.
-dDST_ADDR,--dst-addressDST_ADDR
This option specifies the IPv6 Destination Address of the target node. This option cannot be left
unspecified.
-AHOP_LIMIT,--hop-limitHOP_LIMIT
This option specifies the Hop Limit to be used for the IPv6 packets. By default, the Hop Limit is
randomized.
-uHDR_SIZE,--dst-opt-hdrHDR_SIZE
This option specifies that a Destination Options header is to be included in the outgoing
packet(s). The extension header size must be specified as an argument to this option (the header
is filled with padding options). Multiple Destination Options headers may be specified by means of
multiple "-u" options.
-UHDR_SIZE,--dst-opt-u-hdrHDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of
the outgoing packet(s). The header size must be specified as an argument to this option (the
header is filled with padding options). Multiple Destination Options headers may be specified by
means of multiple "-U" options.
-HHDR_SIZE,--hbh-opt-hdrHDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the outgoing
packet(s). The header size must be specified as an argument to this option (the header is filled
with padding options). Multiple Hop-by-Hop Options headers may be specified by means of multiple
"-H" options.
-PFRAG_SIZE,--frag-sizeFRAG_SIZE
This option specifies the IPv6 fragment payload size.
-OFRAG_TYPE,--frag-typeFRAG_TYPE
This option specifies the fragment "type". Possible types are "first", "middle", "last", and
"atomic". If the selected fragment type is "first", the Fragment Offset is automatically set to 0,
and the "M" ("More fragments") bit is set to 1. If the selected fragment type is "middle", the
Fragment Offset is set to a non-zero value, and the "M" bit is set to 1. If the selected fragment
type is "last", the Fragment Offset is set to a non-zero value, and the "M" bit is set to 0.
Finally, if the selected fragment type is "atomic", the Fragment Offset is set to 0, and the "M"
bit is set to 0.
-oFRAG_OFFSET,--frag-offsetFRAG_OFFSET
This option specifies the Fragment Offset. The Fragment Offset specified by means of this option
overrides the value implicitly specified by means of the "-O" option.
-IFRAG_ID,--frag-idFRAG_ID
This option specifies the fragment "Identification" value. If left unspecified, the
"Identification" value is randomized.
-T, --no-timestamp
When assessing the fragment reassembly policy of a target, the fragment payload includes a
timestamp value that is used to measure the fragment reassembly timeout. If this option is set,
such timestamp will not be included in the payload (and the tool will not be able to measure the
fragment reassembly timeout).
-n, --no-responses
This option instructs the frag6 tool not to display the responses to the fragments sent. This
option is useful when performing a fragmentation-flooding attack, as multiple response packets
(ICMPv6 errors) might be received.
-p, --frag-reass-policy
This option instructs the tool to determine the IPv6 fragment reassembly policy of the target. In
order to determine the aforementioned policy, the tool performs a number of tests to determine how
the target node processes overlapping fragments. The following figures illustrate the sequence of
packets that correspond to each of the tests.
Test#1
Frag. #1: AAAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Test#2
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test#3
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test#4
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCCCCCCCCCCCCCCCCC
Test#5
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Frag. #4: DDDDDDDD
For each of the aforementioned tests, the tool reports which
copy of the data is used by the target host. If there is no
response from the host, the tool informs whether the host
silently dropped the fragments, or sent an ICMPv6 Time
Exceeded error message.
-W, --frag-id-policy
This option instructs the tool to determine the fragment "Identification" generation policy. The
tool sends a number of probe packets to the target node, and samples the "Identification" values
of the corresponding response packets. Based on the sampled values, it tries to infer the fragment
Identification generation policy of the target.
The tool will first send a number of fragments from single IPv6 address, such that the per-
destination policy is determined. The tool will then send a number of fragments from random IPv6
addresses (from the same prefix as the first fragments) such that the "global" fragment
Identification generation policy can be inferred.
The tool computes the expected value and the standard deviation of the difference between
consecutive-sampled Identification values (IDn – IDn-1), with the intent of inferring the fragment
Identification algorithm at the target node.
For small values of the standard deviation, the fragment Identification is assumed to be a
monotonically-increasing function with increments of the "expected value". For large values of the
standard deviation, the fragment Identification is assumed to be randomized, and the expected
value and standard deviation are informed to the user, as indicators of the "quality" of the
fragment Identification generation algorithm.
-X, --pod-attack
This option instructs the tool to perform a "Ping of Death" attack against the specified target.
-FFRAG_NUMBER,--flood-fragsFRAG_NUMBER
This option instructs the tool to send the specified number of fragments back-to-back to the
target node. This option is likely to be used in conjunction with the "-l" option, such that the
process is repeated in a loop.
-l, --loop
This option instructs the frag6 tool to periodically send IPv6 fragments to the target node. The
amount of time to pause between sending a batch of fragments can be specified by means of the "-z"
option, and defaults to 1 second.
-zSECONDS,--sleepSECONDS
This option specifies the amount of time that the tool should pause between sending btaches of
IPv6 fragments (when the "--loop" option is set). If left unspecified, it defaults to 1 second.
-v, --verbose
This option instructs the frag6 tool to be verbose. If this option is set twice and the -W option
was set, the tool outputs the sampled Fragment Identification values (in addition to other
information).
-h, --help
Print help information for the frag6 tool.
Install Now
PNG Icons
