Snort mailing list archives
TCP reserved flags: which is it?
From: John Sage <jsage () finchhaven com>
Date: Wed, 17 Jul 2002 23:38:31 -0700
Received some tcp:25 packets with the reserved flag bits set. snort 1.8.7 reports: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/17-20:11:24.884824 209.167.90.34:47060 -> 12.82.129.7:25 TCP TTL:47 TOS:0x0 ID:26375 IpLen:20 DgmLen:60 DF 12****S* Seq: 0x7D870B18 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1380 SackOK TS: 303867600 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ while ACID reports the same packet as: ------------------------------------------------------------------------------ #(267 - 8) [2002-07-17 20:11:24] TCP to 25 smtp IPv4: 209.167.90.34 -> 12.82.129.7 hlen=5 TOS=0 dlen=60 ID=26375 flags=0 offset=0 TTL=47 chksum=11154 TCP: port=47060 -> dport: 25 flags=21****S* seq=2106002200 ack=0 off=10 res=0 win=5840 urp=0 chksum=32298 Options: #1 - MSS len=4 data=0564 #2 - SACKOK len=0 #3 - TS len=10 data=121CA6D000000000 #4 - NOP len=0 #5 - WS len=3 data=00 Payload: none ------------------------------------------------------------------------------ Note that snort has the flags as 1 - 2 while ACID has them as 2 - 1 Which is it? I'd tend to believe snort... - John -- "Obviously, we do not want to leave zombies around." PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP reserved flags: which is it? John Sage (Jul 17)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: Win32 - libpcap questrion Erek Adams (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 20)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 22)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)