not sure ESTABLISHED TCP traffic will have ACK flag setalways...

seberino at spawar.navy.mil seberino at spawar.navy.mil
Sun Apr 10 05:54:03 CEST 2005


> The only really questionable flag is the RST where some TCP/IP stacks will
> send packets with the RST flag set if they mistakenly receive a packet that
> was not destined to them.  This is i
> mplementation dependent and not clearly defined in RFCs and thus a matter
> of some confusion.

I haven't read this in RFC 793 myself.  However, I've read other
docs /about/ RFC 793 that state that RFC 793 mandates closed
ports *must* send an RST in response to packets.  This is the
basis for at least some of stealth scans like FIN, Xmas and NULL
IIRC.

It is true that different stacks don't follow the RFC in this area.
MS Windows does not do the proper thing in this area.  This
is why the /absense/ of the RST from a closed port is one way
to do OS fingerprinting!  If every OS followed the RFC in this
area there would not be so much confusion if I understand things
correctly.

Cheers,

Chris



More information about the netfilter mailing list