The frag Module

The frag utility module simply refines the capture filter (§ ) so that Bro will capture and reassemble IP fragments. Bro reassembles any fragments it receives; but normally it doesn't receive any, except the beginnings of TCP fragments (see the tcp module), and UDP port 111 (per the portmapper module).

So, to make Bro do fragment reassembly, you simply use ``@load frag''. It effects this by adding:

    (ip[6:2] & 0x3fff != 0) and tcp

to the filter. The first part of this expression matches all IP fragments, while the second restricts those matched to TCP traffic. We would like to use:

    (ip[6:2] & 0x3fff != 0) and (tcp or udp port 111)

to also include portmapper fragments, but that won't work--the port numbers will only be present in the first fragment, so the packet filter won't recognize the subsequent fragments as belonging to a UDP port 111 packet, and will fail to capture them.

Note: Alternatively, we might be tempted to use ``(tcp or udp)'' and so capture all UDP fragments, including port 111. This would work in principle, but in practice can capture very high volumes of traffic due to NFS traffic, which can send all of its file data in UDP fragments.