[Snort-users] flags SYN question...

Matt Kettler mkettler at ...4108...
Fri Dec 5 08:39:03 EST 2003

At 12:58 PM 12/4/2003, gfyspf at ...131... wrote:
>Could someone please tell me what the 12 stands for in the following line:
>flags:S,12  and are there other numbers if so what are they used for?  I 
>have been searching all the documentation and can't find much info on it.

Those are the old "reserved 1" and "reserved 2" bits that are the next two 
bits up from the 6 flag bits in the tcp header.

ECN uses them nowdays.

Some OS fingerprinters (ie: nmap) set these bits on some of their test 
packets to differentiate OS behaviors. 

More information about the Snort-users mailing list