[Snort-users] TCP reserved flags: which is it?

Phil Wood cpw at ...440...
Mon Jul 22 09:19:03 EDT 2002


Sar-eee,

Everybody is wrong, cause they are refered to in the RFC as
bit 9* and bit 8!  But, that's in relation to the 32 bit word which
which is word 3 of the tcp header (start counting at 0 of course).

   0               ! * 1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=10| | | | |W|E|U|A|P|R|S|F|  Window = 5840                |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   data   | reserved  | flags     |
    offset

* ECN-Echo flag
! Congestion Window Reduced flag

So, if we go with the flow, bit W (congestion _W_indow reduced (ECN)**
and bit E (ecn _E_cho sent (ECN))** are the first two bits in the newly(1999)
defined (6->8) bit tcp flags field.  Consequently, they should be numbered
bit 0 and bit 1 of the tcp flags field.  Ah, but what happens to all the 
old documentation that might refer to the Urgent bit as bit 0 or bit 10.
or when the flags fields expands further into the reserved space?

Later,

** See print-tcp.c in tcpdump source from tcpdump.org.

On Sun, Jul 21, 2002 at 10:59:42PM -0700, John Sage wrote:
> arf..
> 
> Actually, if you had read my initial post, the *real* question was
> why snort reported the flags as 12****S* while ACID reports the flags
> as flags=21****S*
It was one of the once over lightly reads.
> 
> Notice the "1" and the "2" are reversed between the two.
> 
> I know *what* the flags mean; I'm just trying to understand why snort
> and ACID seem to be reporting them differently...
> 
> (That, and I was kinda funnin' with Erek, but he doesn't seem to have
> noticed :-)
> 
> 
> - John
> -- 
> "Obviously, we do not want to leave zombies around."
> 
> PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 
> 
> 
> 
> On Sun, Jul 21, 2002 at 12:14:27PM -0600, Phil Wood wrote:
> > On Sat, Jul 20, 2002 at 10:10:00PM -0700, John Sage wrote:
> > > On Wed, Jul 17, 2002 at 11:38:31PM -0700, John Sage wrote:
> > > > Received some tcp:25 packets with the reserved flag bits set.
> > > 
> > > <snip>
> > > 
> > > What about my question?
> > > 
> > > Guys?
> > Take a look at rfc2481 and rfc2914.txt.  Those bits are being used
> > for explicit congestion control.  Of course it only works if both ends
> > and intervening routers are participating.  Here is a snippit from rfc 2481:
> > 
> > 6.1. TCP
> > 
> >    The following sections describe in detail the proposed use of ECN in
> >    TCP.  This proposal is described in essentially the same form in
> >    [Floyd94]. We assume that the source TCP uses the standard congestion
> >    control algorithms of Slow-start, Fast Retransmit and Fast Recovery
> >    [RFC 2001].
> > 
> >    This proposal specifies two new flags in the Reserved field of the
> >    TCP header.  The TCP mechanism for negotiating ECN-Capability uses
> >    the ECN-Echo flag in the TCP header.  (This was called the ECN Notify
> >    flag in some earlier documents.)  Bit 9 in the Reserved field of the
> >    TCP header is designated as the ECN-Echo flag.  The location of the
> >    6-bit Reserved field in the TCP header is shown in Figure 3 of RFC
> >    793 [RFC793].
> > 
> 
> 8< snip >8
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list