On Mon, 21 Feb 2000 out of nowhere LigerTeam spoke: ~ :The flag value Each one correspond to 1 bit, ~ :but it have unused 2 bit. ~ : ~ :|unused|unused|URG|ACK|PSH|RST|SYN|FIN| ~ : ~ :Understanding of the very problem is simple. not new. These bits have been already used by queso fingerprints while ago (`f' type of packet). Whether these bits are considered or ignored also apparently depends on the tcp-stack implementation. (linux vs. MacOS f.e) ~ :When the flags variable in tcp header is adjusted ~ :totally with given value, ~ :higher two bit(unused bit) must be cleared ~ :and set at 0. wouldn't agree. By rfc two higher bits here are considered `reserved' and should be set to `0'. Having seen these bits being set to `1' is already a good indication of hostile activity or broken hardware in your network, so you should be able to spot these packets too. -- Key fingerprint = 4422 16FC 3C7D E10A B044 CA4F 2BE0 3943 9758 9324 http://www.kalug.lug.net/fygrave/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:45 PDT