Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP reserved flags: which is it?

From: John Sage <jsage () finchhaven com>
Date: Mon, 22 Jul 2002 10:52:28 -0700
Phil:

/* sorry if I was a bit snappish, earlier.. */

On Mon, Jul 22, 2002 at 10:18:28AM -0600, Phil Wood wrote:

Sar-eee,

Everybody is wrong, cause they are refered to in the RFC as
bit 9* and bit 8!  But, that's in relation to the 32 bit word which
which is word 3 of the tcp header (start counting at 0 of course).

   0               ! * 1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=10| | | | |W|E|U|A|P|R|S|F|  Window = 5840                |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   data   | reserved  | flags     |
    offset

* ECN-Echo flag
! Congestion Window Reduced flag

So, if we go with the flow, bit W (congestion _W_indow reduced (ECN)**
and bit E (ecn _E_cho sent (ECN))** are the first two bits in the newly(1999)
defined (6->8) bit tcp flags field.  Consequently, they should be numbered
bit 0 and bit 1 of the tcp flags field.  Ah, but what happens to all the 
old documentation that might refer to the Urgent bit as bit 0 or bit 10.
or when the flags fields expands further into the reserved space?


Yes. Got it.

Actually, I think Chris K had the best point (that I missed entirely,
to begin with): snort says 1-2, ACID says 2-1, tomato, tomahtoe,
potato, potahtoe, both are just indicating that both of two flags are
set.

It is a binary deal, after all.

As far as ACID itself goes, I think it has more to do with how Roman
implemented his frontend into the MySQL database.

acid_qry_form.php has some magic regarding $tcp_flags and powers of
two that I won't even *try* to explain:

<snip>
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[8]" VALUE="128"
'.chk_check($tcp_flags[8],"128").'> [RSV1] &nbsp'; 
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[7]" VALUE="64"
'.chk_check($tcp_flags[7],"64").'> [RSV0] &nbsp';
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[6]" VALUE="32"
'.chk_check($tcp_flags[6],"32").'> [URG] &nbsp';
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[5]" VALUE="16"
'.chk_check($tcp_flags[5],"16").'> [ACK] &nbsp';
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[3]" VALUE="8"
'.chk_check($tcp_flags[4],"8").'> [PSH] &nbsp'; 
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[4]" VALUE="4"
'.chk_check($tcp_flags[3],"4").'> [RST] &nbsp';
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[2]" VALUE="2"
'.chk_check($tcp_flags[2],"2").'> [SYN] &nbsp';
echo '    <INPUT TYPE="checkbox" NAME="tcp_flags[1]" VALUE="1"
'.chk_check($tcp_flags[1],"1").'> [FIN] &nbsp';
<snip>

The tcp_flags[8] and tcp_flags[7] are those in question...


- John



Later,

** See print-tcp.c in tcpdump source from tcpdump.org.

On Sun, Jul 21, 2002 at 10:59:42PM -0700, John Sage wrote:

arf..


<snippage>


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: