Nmap Development mailing list archives
Needed TCP segments for termination
From: Marc Ruef <marc.ruef () computec ch>
Date: Wed, 25 Dec 2002 09:22:23 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I'm doing some research on TCP establishment and termination. I catched the following during a small discard session between my Windows XP Professional (192.168.0.12) and my Debian GNU/Linux (192.168.0.11): - --- cut --- debian:~# tcpdump tcpdump: listening on eth0 21:08:13.838442 192.168.0.12.1362 > 192.168.0.11.9: S 539572283:539572283(0) win 64512 <mss 1460,nop,nop,sackOK> (DF) 21:08:13.838527 192.168.0.11.9 > 192.168.0.12.1362: S 2164889884:2164889884(0) ack 539572284 win 5808 <mss 1452,nop,nop,sackOK> (DF) 21:08:13.838701 192.168.0.12.1362 > 192.168.0.11.9: . ack 1 win 64512 (DF) 21:08:18.615916 192.168.0.12.1362 > 192.168.0.11.9: F 1:1(0) ack 1 win 64512 (DF) 21:08:18.616379 192.168.0.11.9 > 192.168.0.12.1362: F 1:1(0) ack 2 win 5808 (DF) 21:08:18.616589 192.168.0.12.1362 > 192.168.0.11.9: . ack 2 win 64512 (DF) 6 packets received by filter 0 packets dropped by kernel - --- cut --- I can see that there is the usual three-way-handshake of TCP (first three segments) and the FIN-termination (last three segments). Richard W. Stevens wrote in his famous "TCP/IP Illustrated, Volume 1: The Protocols" on chapter 18.2 (Connection Establishment and Termination, page 233) the following: "While it takes three segments to establish a connection, it takes fout to terminate a connection. This is caused by TCP's half-close. [...]" He proves that with some of his tcpdump captures (page 234) and timelines (pages 232 and 234). Whats wrong with my tcpdump capture? I've got only three packets for the regulary FIN termination. Does Windows XP merge the second FIN with the third ACK (the last ACK of the three-way-handshake)? Is this allowed by the RFCs? Has somebody documented the behaviour of the different TCP/IP implementations? It would be possible to use this characteristics to do some additional OS-fingerprinting. I've catched some of the default values on http://www.computec.ch/projekte/fingerprint-statistiken/ (Sorry, page is on german only, but it's easy to catch the essential informations without knowing german ;-) - It would be great if some other people can send tcpdump outputs for other non-listed operating systems. Bye, Marc - -- Computer, Technik und Security http://www.computec.ch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+CWq/om0y2/IMJDURAsUIAKCphJ/d8GBm3InMjZYqv840nKutFQCbBkN5 4gdXpJvLyWhedMdWv59EEpo= =Dx5y -----END PGP SIGNATURE----- --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Needed TCP segments for termination Marc Ruef (Dec 25)