Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Strange TCP RSTs -- CWR bit?

Re: Strange TCP RSTs -- CWR bit?

From: Richard Bejtlich <richard_at_BEJTLICH.NET>
Date: Thu, 1 Feb 2001 17:12:49 -0000

Hi all,

Crist, I don't think tcpdump is lying. According to
RFC 2481 (A Proposal to add Explicit Congestion
Notification [ECN] to IP), bit 8 of the TCP reserved
field is indeed designated the Congestion Window
Reduced (CWR) bit. See
http://www.faqs.org/rfcs/rfc2481.html for more on
ECN or http://www.faqs.org/rfcs/rfc793.html for the
TCP header format with the bits clearly explained.
This CWR bit can also be thought of as being two
bits left of the URG flag.

Sincerely,

Richard Bejtlich
http://bejtlich.net 

---
Crist Clark <crist.clark_at_GLOBALSTAR.COM> wrote:
> 10:51:02.546232 205.188.144.231.80 > 
aaa.bbb.cc2.84.38277: R [CWR] 
704125102:704125102(0) win 0 (DF) (ttl 49, id 24447)
<snip>
> But I'm not any closer to why it is turning on bit-8 in 
the reserved TCP field from RFC793 (noted 
erroneously in this tcpdump as the CWR flag) in that 
RST packet...
Received on Feb 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos