Snort mailing list archives

Re: TCP flags issue

From: Steven Sturges <ststurge () cisco com>
Date: Wed, 4 Feb 2015 10:29:05 -0500

Per updates to the TCP specification, there are 8 bits of flags in theTCP flags section.The additional "flag" is really part of the adjacent 8 bits that coverthe Data Offset &

Reserved fields.

The ECN Nonce is "flag" 9, aka bit 1 of that adjacent octet.

Use bit 1 of offset_reserved in TCPHeader if you need to check that in adynamic

module that uses sf_snort_packet.h.

On 2/4/15 3:10 AM, Balasubramaniam Natarajan wrote:

On Wed, Feb 4, 2015 at 3:12 AM, sajjad purmohseni<spurmohseni () yahoo com <mailto:spurmohseni () yahoo com>> wrote:


    Hi all



    As you know TCP has 9 flags. But as you see TCP flags of snort is
    8 bits defined in *sf_snort_packet.h* file:

For all I know TCP has just 6 Flags in use currently.

    typedef struct _TCPHeader
    {
    ...
    uint8_t flags;
    ...
    } TCPHeader;

    also predefinded flags are 9 bits as must be:

    #define TCPHEADER_FIN  0x01
    #define TCPHEADER_SYN  0x02
    ...

    Now I am confused if I want to check TCP_SYN flag; how to do that.
    I have used this but it doesn't return correct answer:

I believe the 13 offset of TCP header should be 0x03 for SYN&FIN.

    if (packet->tcp_header->flags & TCPHEADER_SYN){
        ...
    }
    Can anybody guide me about this issue? Thank you.

    ----
    kind regards;
    Sajad Pourmohseni

--

Regards,
Balasubramaniam Natarajan
http://blog.etutorshop.com


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/


_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

TCP flags issue sajjad purmohseni (Feb 03)
- Re: TCP flags issue Balasubramaniam Natarajan (Feb 04)
  - Re: TCP flags issue Steven Sturges (Feb 04)
    - Re: TCP flags issue sajjad purmohseni (Feb 05)
    - Re: TCP flags issue Al Lewis (allewi) (Feb 09)