Snort mailing list archives

Re: TCP reserved flags: which is it?

From: Chris Keladis <Chris.Keladis () cmc optus net au>
Date: Sun, 21 Jul 2002 15:55:30 +1000

Hi John,

The flags represent the same.

It just seems like ACID prints them out in a different order.

You still have reserved flags 1 and 2 set, regardless if you read themas 2 and 1.





Regards,

Chris.


John Sage wrote:

Received some tcp:25 packets with the reserved flag bits set.

snort 1.8.7 reports:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/17-20:11:24.884824 209.167.90.34:47060 -> 12.82.129.7:25
TCP TTL:47 TOS:0x0 ID:26375 IpLen:20 DgmLen:60 DF

12****S* Seq: 0x7D870B18  Ack: 0x0  Win: 0x16D0  TcpLen: 40

TCP Options (5) => MSS: 1380 SackOK TS: 303867600 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


while ACID reports the same packet as:

------------------------------------------------------------------------------
#(267 - 8) [2002-07-17 20:11:24]  TCP to 25 smtp
IPv4: 209.167.90.34 -> 12.82.129.7
      hlen=5 TOS=0 dlen=60 ID=26375 flags=0 offset=0 TTL=47 chksum=11154

TCP:  port=47060 -> dport: 25  flags=21****S* seq=2106002200

      ack=0 off=10 res=0 win=5840 urp=0 chksum=32298
      Options:
       #1 - MSS len=4 data=0564
       #2 - SACKOK len=0
       #3 - TS len=10 data=121CA6D000000000
       #4 - NOP len=0
       #5 - WS len=3 data=00
Payload: none
------------------------------------------------------------------------------

Note that snort has the flags as 1 - 2 while ACID has them as 2 - 1


Which is it?

I'd tend to believe snort...


- John






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

TCP reserved flags: which is it? John Sage (Jul 17)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
  - Re: Win32 - libpcap questrion Erek Adams (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 20)
  - Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
    - Re: TCP reserved flags: which is it? John Sage (Jul 21)
    - Re: TCP reserved flags: which is it? Phil Wood (Jul 22)
    - Re: TCP reserved flags: which is it? John Sage (Jul 22)
- Re: TCP reserved flags: which is it? Chris Keladis (Jul 21)
  - Re: TCP reserved flags: which is it? John Sage (Jul 21)
  - Re: TCP reserved flags: which is it? John Sage (Jul 22)