From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Weird TCP flags?
Date: Fri, 12 Dec 2003 12:41:37 -0500 [thread overview]
Message-ID: <1071250896.1973.10.camel@grendel> (raw)
In-Reply-To: <200312121105.19702.JALaramie@Loudoun-Fairfax.com>
On Fri, 2003-12-12 at 11:05, Jeffrey Laramie wrote:
>
> Yeah, I definitely need a vacation. Next time I post something stupid like
> that *smack* me and say "Shut Up Jeff, let me answer this!"
Be careful what you wish for... ;-)
> The TTL of his packet was about 60 secs lower than what I usually see which
> makes Chris's explanation sound likely. How does TTL get calculated?
Actually, the TTL (63) is dead on if his server is running on Linux or
BSD. Based on the window and packet size, I would guess Linux.
Per the RFC, a host is to "suppose" to decrement the TTL by 1 for every
hop crossed, as well as every second the packet is queued. So for
example a router holding a packet for 5 seconds prior to transmitting
should decrement the TTL by 6.
In reality, most/all devices just decrement by one for hop and don't
look at the time component. IMHO this is useful for us as as a community
as it makes it easier to use TTL for passively fingerprinting packets.
HTH,
C
next prev parent reply other threads:[~2003-12-12 17:41 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-12 4:11 Weird TCP flags? Ian Hunter
2003-12-12 4:46 ` Jeffrey Laramie
2003-12-12 4:52 ` Ian Hunter
2003-12-12 5:20 ` Jeffrey Laramie
2003-12-12 4:51 ` Jeffrey Laramie
[not found] ` <200312120105.01557.Alistair Tonner <>
2003-12-12 12:26 ` John A. Sullivan III
2003-12-12 13:14 ` Ian Hunter
2003-12-12 13:32 ` John A. Sullivan III
2003-12-12 13:59 ` Antony Stone
2003-12-12 14:50 ` John A. Sullivan III
2003-12-12 14:37 ` Antony Stone
2003-12-12 16:37 ` Ian Hunter
2003-12-12 13:13 ` Chris Brenton
2003-12-12 13:26 ` Ian Hunter
2003-12-12 14:05 ` Jeffrey Laramie
2003-12-12 13:57 ` Antony Stone
2003-12-12 14:21 ` John A. Sullivan III
2003-12-12 14:26 ` Ralf Spenneberg
2003-12-12 14:41 ` Jeffrey Laramie
2003-12-12 14:38 ` Antony Stone
2003-12-12 16:05 ` Jeffrey Laramie
2003-12-12 17:41 ` Chris Brenton [this message]
2003-12-12 21:21 ` Antony Stone
2003-12-13 14:00 ` Akos Szalkai
2003-12-13 14:41 ` Antony Stone
2003-12-13 14:50 ` Antony Stone
2003-12-13 14:57 ` Akos Szalkai
2003-12-13 14:53 ` Akos Szalkai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1071250896.1973.10.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=JALaramie@Loudoun-Fairfax.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.