[Snort-users] flags SYN question...
mkettler at ...4108...
Fri Dec 5 08:39:03 EST 2003
At 12:58 PM 12/4/2003, gfyspf at ...131... wrote:
>Could someone please tell me what the 12 stands for in the following line:
>flags:S,12 and are there other numbers if so what are they used for? I
>have been searching all the documentation and can't find much info on it.
Those are the old "reserved 1" and "reserved 2" bits that are the next two
bits up from the 6 flag bits in the tcp header.
ECN uses them nowdays.
Some OS fingerprinters (ie: nmap) set these bits on some of their test
packets to differentiate OS behaviors.
More information about the Snort-users