Snort mailing list archives

Re: flags SYN question...

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Dec 2003 11:40:22 -0500

At 12:58 PM 12/4/2003, gfyspf () yahoo com wrote:

Could someone please tell me what the 12 stands for in the following line:
flags:S,12 and are there other numbers if so what are they used for? Ihave been searching all the documentation and can't find much info on it.

Those are the old "reserved 1" and "reserved 2" bits that are the next twobits up from the 6 flag bits in the tcp header.


ECN uses them nowdays.

Some OS fingerprinters (ie: nmap) set these bits on some of their testpackets to differentiate OS behaviors.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

flags SYN question... gfyspf () yahoo com (Dec 05)
- Re: flags SYN question... Brian (Dec 05)
- Re: flags SYN question... Matt Kettler (Dec 05)