Wireshark: Detecting packet injection

Fragmentation.

The Internet Protocol standard permits ISPs to fragment packets that are too large (for example, because a particular network technology used by an ISP has a maximum packet size). The packets are then broken up into smaller fragments which arrive separately at the destination; the destination computer is responsible for reassembling the fragments. Fragmentation has become somewhat less common in practice for reasons that may include conservative packet size defaults in operating system network code and mechanisms like path MTU discovery (to automatically select a packet size that is small enough to avoid fragmentation). In test results we've seen so far, fragmentation generally did not occur, and we will ignore this possibility here, although it should be considered as a possible cause of any observed discrepancies between packets sent and received.

Packet loss.

Under conditions of network congestion, it is normal for some packets to be discarded rather than forwarded, a phenomenon called packet loss. Packet loss is normally measured as a percentage; the ping utility measures packet loss with ICMP echo request packets, counting how many ICMP echo replies are received in response to a certain number of probes. High rates of packet loss could be caused intentionally by an ISP as a means of reducing the performance of a targeted application or protocol, but they can also occur as a result of congestion on the network or other technical problems. When a packet is lost (also called a "dropped packet", "dropped frame", or "dropped segment"), it is not received by the destination at all. Some higher-level Internet protocols include mechanisms for coping with packet loss, such as TCP's mechanism for explicitly retransmitting data from packets that are lost.

Reordering.

Sometimes packets are not delivered in the same order in which they were originally transmitted. If packet B was transmitted after packet A, receiving packet B at the other end does not mean that packet A has been dropped; it might still be on its way. TCP can also generally correct for reordering. Like packet loss, reordering could be used intentionally by an ISP to degrade an application, but also occurs normally in the course of Internet routing.

Spoofing.

Spoofing or packet injection occurs when an entity other than one of the endpoints generates traffic using the source address of an endpoint. Spoofing is the most straightforwardly detectable means of interference with Internet traffic because it produces concrete evidence in the form of the anomalous spoofed packets, and because it does not occur normally in traditional Internet routing.