After further examination and re-plumbing our cabling to the edge router to allow me to sniff packets "pre-IDS/firewall", I strongly suspect this is a bug in Cisco's IOS FW/IDS feature set. In each of the three cases of "no flags set in TCP header" the sendmail session was doing fine until after the DATA part of the SMTP session. The next packet was fragmented (slightly .. about 14 bytes overflow from standard MTU). The following trailing fragment of course had no TCP header, just IP, and was padded with zeroes to fit the minimum 64-byte packet size, followed by the checksum. If the packet were "blindly" decoded as if it was not a fragment, the offset of the normal TCP flags field within the packet fell into the zero-padded part of the payload. So no, no flags in that "header". I have a case open with them to confirm my suspicions, but the packet trace looks innocent enough to me. Sorry for the (probably) false alarm. Jeff Kell <jeff-kellat_private> Systems/Network Administrator
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:41:37 PDT