[Snort-devel] Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT)

Christopher Granger chrisgrangerx at ...2499...
Tue Feb 21 09:39:48 EST 2012

Hi Snort  Dev,

Regarding Unified logging & Packet Flags, can you answer this question,

If the Packet Flags bit 0x00000020 is set (referenced below from decode.h)

define PKT_STREAM_TWH                         0x00000020  /* packet
completes the 3-way handshake */

define PKT_FROM_CLIENT                        0x00000080  /* this packet
came from the client

should flag 0x00000080 always also be set?

Based on log sampling I've done, this seems to be the case -- i.e.
while0x00000080 may be set alone, whenever 0x00000020 is set,
0x00000080 is also

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120221/dd85f6a9/attachment.html>

More information about the Snort-devel mailing list