I have been reading a lot on various protocols and how TCP/IP works and this is pretty much all I can gather on IP fragmentation. I know it can can be used in most cases to map a network and to find out the ACL that the networks's filtering device is using.

This kind of information can be found out by scanning with both TCP and UDP packets on all ports in a network range and will give you an idea of which ports on a host are alive and/or open. If no reply is recieved then it is a pretty good assumption that a filtering device either blocks the protocol used, the port we probed for is blocked, or it blocks ICMP Fragment Reassembly Time exceeded error messages.

When scanning with IP fragmentation the UDP protocol seems to work the best because in most situations the first packet can be sent unfragmented. The first datagram is sent went enough information in it so that it is checked against the firewalls rule base. The rest of the packet is never sent. This is so that the probed computer will illicit an ICMP Fragment Assembly time exceeded error message if the port is open and if it is closed then it will send an ICMP port unreachable packet. The cool thing about this is you can tell when the probed computer filters certain thing becuase there will be no reply at all from the blocked port or protocol.

Using the TCP protocol in this type of scanning may not work as often on some systems because they specify that the first packet sent must be unfragmented. If it does succeed then an ICMP Fragment Assembly time exceeded error message will be sent if the port is open and a TCP RST packet will be sent if the port is closed. Once again if the if the packets are filtered then no reply at all will be sent.

If anyone can add anything else that I left out or if something is wrong please do, I am really interested in how all of this scanning stuff works.