[Snort-users] TCP Window Question

jess at ...521... jess at ...521...
Fri Jun 1 15:08:47 EDT 2001


	Hi, folks.

	While parsing through some printed detects, I found TCP SYN
pkts with window sizes of 512 and 1024. Those are supposed to come from
old versions of NT, Solaris or Linux.

	I know it's quite unusual to find such small window sizes (TCP
stacks nowadays default to much higher windows sizes:
http://project.honeynet.org/papers/finger/traces.txt), unless
the system is very busy, when the window sizes can drop to even 0.

	I was just wandering if anyone knew of a TCP stack which defaults
to such small values or any reason other than the above that can lead to
them.

	Cheers,

	JESS





More information about the Snort-users mailing list