[Snort-users] TCP reserved flags: which is it?

John Sage jsage at ...2022...
Sun Jul 21 23:00:05 EDT 2002


arf..

Actually, if you had read my initial post, the *real* question was
why snort reported the flags as 12****S* while ACID reports the flags
as flags=21****S*

Notice the "1" and the "2" are reversed between the two.

I know *what* the flags mean; I'm just trying to understand why snort
and ACID seem to be reporting them differently...

(That, and I was kinda funnin' with Erek, but he doesn't seem to have
noticed :-)


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 



On Sun, Jul 21, 2002 at 12:14:27PM -0600, Phil Wood wrote:
> On Sat, Jul 20, 2002 at 10:10:00PM -0700, John Sage wrote:
> > On Wed, Jul 17, 2002 at 11:38:31PM -0700, John Sage wrote:
> > > Received some tcp:25 packets with the reserved flag bits set.
> > 
> > <snip>
> > 
> > What about my question?
> > 
> > Guys?
> Take a look at rfc2481 and rfc2914.txt.  Those bits are being used
> for explicit congestion control.  Of course it only works if both ends
> and intervening routers are participating.  Here is a snippit from rfc 2481:
> 
> 6.1. TCP
> 
>    The following sections describe in detail the proposed use of ECN in
>    TCP.  This proposal is described in essentially the same form in
>    [Floyd94]. We assume that the source TCP uses the standard congestion
>    control algorithms of Slow-start, Fast Retransmit and Fast Recovery
>    [RFC 2001].
> 
>    This proposal specifies two new flags in the Reserved field of the
>    TCP header.  The TCP mechanism for negotiating ECN-Capability uses
>    the ECN-Echo flag in the TCP header.  (This was called the ECN Notify
>    flag in some earlier documents.)  Bit 9 in the Reserved field of the
>    TCP header is designated as the ECN-Echo flag.  The location of the
>    6-bit Reserved field in the TCP header is shown in Figure 3 of RFC
>    793 [RFC793].
> 

8< snip >8




More information about the Snort-users mailing list