Snort mailing list archives
Re: TCP reserved flags: which is it?
From: Phil Wood <cpw () lanl gov>
Date: Mon, 22 Jul 2002 10:18:28 -0600
Sar-eee, Everybody is wrong, cause they are refered to in the RFC as bit 9* and bit 8! But, that's in relation to the 32 bit word which which is word 3 of the tcp header (start counting at 0 of course). 0 ! * 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OFF=10| | | | |W|E|U|A|P|R|S|F| Window = 5840 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ data | reserved | flags | offset * ECN-Echo flag ! Congestion Window Reduced flag So, if we go with the flow, bit W (congestion _W_indow reduced (ECN)** and bit E (ecn _E_cho sent (ECN))** are the first two bits in the newly(1999) defined (6->8) bit tcp flags field. Consequently, they should be numbered bit 0 and bit 1 of the tcp flags field. Ah, but what happens to all the old documentation that might refer to the Urgent bit as bit 0 or bit 10. or when the flags fields expands further into the reserved space? Later, ** See print-tcp.c in tcpdump source from tcpdump.org. On Sun, Jul 21, 2002 at 10:59:42PM -0700, John Sage wrote:
arf.. Actually, if you had read my initial post, the *real* question was why snort reported the flags as 12****S* while ACID reports the flags as flags=21****S*
It was one of the once over lightly reads.
Notice the "1" and the "2" are reversed between the two. I know *what* the flags mean; I'm just trying to understand why snort and ACID seem to be reporting them differently... (That, and I was kinda funnin' with Erek, but he doesn't seem to have noticed :-) - John -- "Obviously, we do not want to leave zombies around." PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 On Sun, Jul 21, 2002 at 12:14:27PM -0600, Phil Wood wrote:On Sat, Jul 20, 2002 at 10:10:00PM -0700, John Sage wrote:On Wed, Jul 17, 2002 at 11:38:31PM -0700, John Sage wrote:Received some tcp:25 packets with the reserved flag bits set.<snip> What about my question? Guys?Take a look at rfc2481 and rfc2914.txt. Those bits are being used for explicit congestion control. Of course it only works if both ends and intervening routers are participating. Here is a snippit from rfc 2481: 6.1. TCP The following sections describe in detail the proposed use of ECN in TCP. This proposal is described in essentially the same form in [Floyd94]. We assume that the source TCP uses the standard congestion control algorithms of Slow-start, Fast Retransmit and Fast Recovery [RFC 2001]. This proposal specifies two new flags in the Reserved field of the TCP header. The TCP mechanism for negotiating ECN-Capability uses the ECN-Echo flag in the TCP header. (This was called the ECN Notify flag in some earlier documents.) Bit 9 in the Reserved field of the TCP header is designated as the ECN-Echo flag. The location of the 6-bit Reserved field in the TCP header is shown in Figure 3 of RFC 793 [RFC793].8< snip >8 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP reserved flags: which is it? John Sage (Jul 17)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: Win32 - libpcap questrion Erek Adams (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 20)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 22)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)