Fragmented IP Packets

I just replaced ZAP with CFP, and have noticed something new to me in the activity logs. I’m getting many many packets blocked by Protocol Analysis as “Fragmented IP packets”:

Date/Time :2007-07-14 17:13:25
Severity :High
Reporter :Network
MonitorDescription: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Outgoing
Source: …94 (<-- the local XP machine wi CFP)
Destination: …11 (<-- a W2KSrvr PC on the net set up as a fileserver and for DNS forwarding)
Protocol : UDP
Reason: Fragmented IP packets are not allowed

These events are always paired with packet length events:
Date/Time :2007-07-14 17:13:25
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Outgoing
Source: …94:1597
Destination: …11:88
Reason: UDP packet length and the size on the wire(1282 bytes) do not match

Despite the repeatedly blocked packets, there doesn’t seem to be any effect on performance (filesharing, web browsing, or address resolution). I saw another reference hereabouts to the IP fragmentation issue, and the assertion by MS says this is actually necessary, but didn’t see a resolution or closure to it. I do still have the “Block fragmented IP datagrams” and “Do protocol analysis” options checked.

It sounds like my local machine is simply configured for too large an MTU. Do I need to/can I reconfigure XP wi a smaller MTU for local traffic?

mbin: welcome to the forum (:WAV). (yet another ZA convert ;D).

If this is specifically a CFP question on those 2 options, then you should keep them enabled for your own security


However, if you’re interested on what your MTU should be then I recommend this site as I personally apply my internet settings based on it:

Er, ah, thanks, and I did the reading(and learned that my ISPs MTU is 1300), but the dataflow that’s triggering these blocked packets by CFP doesn’t involve the Internet. It’s from the local machine to a server on the same physical subnet.

I’m aware of at least some of the dangers posed by IP fragmentation, but also that it doesn’t necessarily pose as big a threat within a well-protected internal enclave as it does across a security boundary. Can the CFP setting be relaxed for local traffic (e.g., for local/remote addr both within a trusted zone), but enforced for Internet traffic?

I see…it seems you know more about that than me :-[. IP frag. doesn’t always mean danger. I guess this feature just makes the network traffic more rigid, like an added security:;msg22697#msg22697

Now as far as can you control it for just local or trusted traffic, you can’t. All of the options in Advanced Attaction Detection & Prevention are global. Perhaps you can post such a request the wishlist. I think someone had this one before:;msg22772#msg22772