[Snort-users] TCP flags

Joshua Wright Joshua.Wright at ...2031...
Wed Oct 17 04:54:24 EDT 2001


David,

(U)RG:  Urgent Pointer field significant
(A)CK:  Acknowledgment field significant
(P)SH:  Push Function
(R)ST:  Reset the connection
(S)YN:  Synchronize sequence numbers
(F)IN:  No more data from sender

and two "unused" fields.

If you don't already own it, I recommend purchasing "TCP/IP Illustrated,
volume 1" by Dr. Richard Stevens.  It is an invaluable reference for anyone
involved with networking, systems administration or information security.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


-----Original Message-----
From: David Hondel [mailto:dhondel at ...3841...]
Sent: Tuesday, October 16, 2001 3:58 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] TCP flags


This is probably an easy one, but I can't seem to find it....

When running snort (with -dev), there are 8 asterisks for flags (one is a
letter, to denote the presence of a flag, I presume).

Are these spelled out anywhere?

example:

10/16-10:23:46.905044 0A:BC:DE:F0:AB:CD -> CD:EF:0A:BC:DE:F0 type:0x800
len:0x3c
10.0.0.1 -> 10.0.0.2 TCP TTL:127 TOS:0x0 ID:41350 IpLen:20 Dg
mLen:40
*****R**  Seq: 0x6D08BBFF  Ack: 0x6D08BBFF  Win: 0x0  TcpLen: 20


Thanks,

David 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list