[Snort-devel] Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT)

Steven Sturges ssturges at ...402...
Tue Feb 21 10:44:07 EST 2012


Thats how TCP usually works, though not always (ie, server splitting
its SYN & ACK packets).  Typically the 3rd packet of the 3-way
handshake is from the client.

SYN -->
<-- SYN/ACK
ACK -->

On 2/21/12 9:39 AM, Christopher Granger wrote:
> Hi Snort  Dev,
>
> Regarding Unified logging & Packet Flags, can you answer this question,
> please?
>
> If the Packet Flags bit 0x00000020 is set (referenced below from decode.h)
>
> define PKT_STREAM_TWH                         0x00000020  /* packet
> completes the 3-way handshake */
>
> define PKT_FROM_CLIENT                        0x00000080  /* this packet
> came from the client
>
> should flag 0x00000080 always also be set?
> Based on log sampling I've done, this seems to be the case -- i.e.
> while0x00000080 may be set alone, whenever 0x00000020 is set, 0x00000080
> is also set.
> Thank you,
> -Chris
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list