Needed TCP segments for termination

[Marc Ruef <marc.ruef () computec ch>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm doing some research on TCP establishment and termination. I catched
the following during a small discard session between my Windows XP
Professional (192.168.0.12) and my Debian GNU/Linux (192.168.0.11):

- --- cut ---

debian:~# tcpdump
tcpdump: listening on eth0
21:08:13.838442 192.168.0.12.1362 > 192.168.0.11.9: S
539572283:539572283(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
21:08:13.838527 192.168.0.11.9 > 192.168.0.12.1362: S
2164889884:2164889884(0) ack 539572284 win 5808 <mss
1452,nop,nop,sackOK> (DF)
21:08:13.838701 192.168.0.12.1362 > 192.168.0.11.9: . ack 1 win 64512
(DF)
21:08:18.615916 192.168.0.12.1362 > 192.168.0.11.9: F 1:1(0) ack 1 win
64512 (DF)
21:08:18.616379 192.168.0.11.9 > 192.168.0.12.1362: F 1:1(0) ack 2 win
5808 (DF)
21:08:18.616589 192.168.0.12.1362 > 192.168.0.11.9: . ack 2 win 64512
(DF)

6 packets received by filter
0 packets dropped by kernel

- --- cut ---

I can see that there is the usual three-way-handshake of TCP (first
three segments) and the FIN-termination (last three segments).

Richard W. Stevens wrote in his famous "TCP/IP Illustrated, Volume 1:
The Protocols" on chapter 18.2 (Connection Establishment and
Termination, page 233) the following: "While it takes three segments to
establish a connection, it takes fout to terminate a connection. This is
caused by TCP's half-close. [...]" He proves that with some of his
tcpdump captures (page 234) and timelines (pages 232 and 234).

Whats wrong with my tcpdump capture? I've got only three packets for the
regulary FIN termination. Does Windows XP merge the second FIN with the
third ACK (the last ACK of the three-way-handshake)? Is this allowed by
the RFCs? Has somebody documented the behaviour of the different TCP/IP
implementations?

It would be possible to use this characteristics to do some additional 
OS-fingerprinting. I've catched some of the default values on 
http://www.computec.ch/projekte/fingerprint-statistiken/ (Sorry, page 
is on german only, but it's easy to catch the essential informations 
without knowing german ;-) - It would be great if some other people can 
send tcpdump outputs for other non-listed operating systems.

Bye, Marc

- -- 
Computer, Technik und Security
http://www.computec.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+CWq/om0y2/IMJDURAsUIAKCphJ/d8GBm3InMjZYqv840nKutFQCbBkN5
4gdXpJvLyWhedMdWv59EEpo=
=Dx5y
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).