Snort mailing list archives
Re: TCP reserved flags: which is it?
From: John Sage <jsage () finchhaven com>
Date: Mon, 22 Jul 2002 10:52:28 -0700
Phil: /* sorry if I was a bit snappish, earlier.. */ On Mon, Jul 22, 2002 at 10:18:28AM -0600, Phil Wood wrote:
Sar-eee, Everybody is wrong, cause they are refered to in the RFC as bit 9* and bit 8! But, that's in relation to the 32 bit word which which is word 3 of the tcp header (start counting at 0 of course). 0 ! * 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OFF=10| | | | |W|E|U|A|P|R|S|F| Window = 5840 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ data | reserved | flags | offset * ECN-Echo flag ! Congestion Window Reduced flag So, if we go with the flow, bit W (congestion _W_indow reduced (ECN)** and bit E (ecn _E_cho sent (ECN))** are the first two bits in the newly(1999) defined (6->8) bit tcp flags field. Consequently, they should be numbered bit 0 and bit 1 of the tcp flags field. Ah, but what happens to all the old documentation that might refer to the Urgent bit as bit 0 or bit 10. or when the flags fields expands further into the reserved space?
Yes. Got it. Actually, I think Chris K had the best point (that I missed entirely, to begin with): snort says 1-2, ACID says 2-1, tomato, tomahtoe, potato, potahtoe, both are just indicating that both of two flags are set. It is a binary deal, after all. As far as ACID itself goes, I think it has more to do with how Roman implemented his frontend into the MySQL database. acid_qry_form.php has some magic regarding $tcp_flags and powers of two that I won't even *try* to explain: <snip> echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[8]" VALUE="128" '.chk_check($tcp_flags[8],"128").'> [RSV1]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[7]" VALUE="64" '.chk_check($tcp_flags[7],"64").'> [RSV0]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[6]" VALUE="32" '.chk_check($tcp_flags[6],"32").'> [URG]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[5]" VALUE="16" '.chk_check($tcp_flags[5],"16").'> [ACK]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[3]" VALUE="8" '.chk_check($tcp_flags[4],"8").'> [PSH]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[4]" VALUE="4" '.chk_check($tcp_flags[3],"4").'> [RST]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[2]" VALUE="2" '.chk_check($tcp_flags[2],"2").'> [SYN]  '; echo ' <INPUT TYPE="checkbox" NAME="tcp_flags[1]" VALUE="1" '.chk_check($tcp_flags[1],"1").'> [FIN]  '; <snip> The tcp_flags[8] and tcp_flags[7] are those in question... - John
Later, ** See print-tcp.c in tcpdump source from tcpdump.org. On Sun, Jul 21, 2002 at 10:59:42PM -0700, John Sage wrote:arf..
<snippage> ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP reserved flags: which is it? John Sage (Jul 17)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: Win32 - libpcap questrion Erek Adams (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 20)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 22)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)
- Re: TCP reserved flags: which is it? Phil Wood (Jul 21)
- Win32 - libpcap questrion Anonymous - Mike (Jul 18)
- Re: TCP reserved flags: which is it? John Sage (Jul 21)
- Re: TCP reserved flags: which is it? John Sage (Jul 22)