Snort mailing list archives
Re: Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT)
From: Steven Sturges <ssturges () sourcefire com>
Date: Tue, 21 Feb 2012 10:44:07 -0500
Thats how TCP usually works, though not always (ie, server splitting its SYN & ACK packets). Typically the 3rd packet of the 3-way handshake is from the client. SYN --> <-- SYN/ACK ACK --> On 2/21/12 9:39 AM, Christopher Granger wrote:
Hi Snort Dev, Regarding Unified logging & Packet Flags, can you answer this question, please? If the Packet Flags bit 0x00000020 is set (referenced below from decode.h) define PKT_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */ define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client should flag 0x00000080 always also be set? Based on log sampling I've done, this seems to be the case -- i.e. while0x00000080 may be set alone, whenever 0x00000020 is set, 0x00000080 is also set. Thank you, -Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT) Christopher Granger (Feb 21)
- Re: Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT) Steven Sturges (Feb 21)
- Re: Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT) Chris Granger (Feb 21)
- Re: Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT) Steven Sturges (Feb 21)