Re: Strange TCP RSTs -- CWR bit?

[Richard Bejtlich <richard () BEJTLICH NET>]

Hi all,

Crist, I don't think tcpdump is lying.  According to 
RFC 2481 (A Proposal to add Explicit Congestion 
Notification [ECN] to IP), bit 8 of the TCP reserved 
field is indeed designated the Congestion Window 
Reduced (CWR) bit.  See 
http://www.faqs.org/rfcs/rfc2481.html for more on 
ECN or http://www.faqs.org/rfcs/rfc793.html for the 
TCP header format with the bits clearly explained.  
This CWR bit can also be thought of as being two 
bits left of the URG flag.

Sincerely,

Richard Bejtlich
http://bejtlich.net

---

Crist Clark <crist.clark () GLOBALSTAR COM> wrote:

> 10:51:02.546232 205.188.144.231.80 > 
aaa.bbb.cc2.84.38277: R [CWR] 
704125102:704125102(0) win 0 (DF) (ttl 49, id 24447)
<snip>
> But I'm not any closer to why it is turning on bit-8 in 
the reserved TCP field from RFC793 (noted 
erroneously in this tcpdump as the CWR flag) in that 
RST packet...