[EMAIL PROTECTED] wrote:
> 
> Here is a trace of the first packet where the client was using
> the (crufty) W95 telnet command:
>
> [snip]
> 
> TCP header breakdown:
>         <source port=3762, destination port=25(smtp) >
>         th_seq=27b65d1, th_ack=0
>         th_off=11, flags<SYN>
>         th_win=5840, th_sum=47f5, th_urp=0
>                 mss 1460
>                 nop
>                 wscale 0
>                 nop
>                 nop
>                 opt-8:00000000     0a000000 00000000
> |........|
>                 eol
>                 nop
>                 nop
>                 opt-4:          mss 0 [len 0]
> 
> Everything after the "mss 1460" would not be present when using a normal
> smtp client.  These are telnet options; the smtp server is going to
> completely ignore these unless it is trying to detect that a telnet client
> made the connection.

Meep, wrong. The MSS option is standard TCP. The window scaling option
is standard TCP. Option 8 is Timestamp, also part of standard TCP.
I don't know what happens past |........| though, your output is
a bit hard to read..

I can tell you for a fact that all the options before |......| are 
created by the TCP stack and have nothing to do with what client
software is being used. They're added to the initial packet of the
connection because your TCP stack thinks they should be there. Period.

Also, the first packet of any TCP connection is the SYN packet.
Data never travels in SYN packets in normal TCP. If you want
to look at the telnet options, you'll have to look at the 
packet AFTER the SYN / SYNACK / ACK handshake (or possibly
the ACK packet there if you have a TCP stack that allows
sending data in the first ACK).

I suggest that you get your hands on a a better packet sniffer 
that understands how to parse the TCP data offset (header length) 
field in order to be able to distinguish real options from garbled 
random data appended due to the ethernet minimum frame length 
requirement.

Regards,
Mikael Olsson

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to