Hey
Danny --
f =
flags
In the
13th byte offset of the TCP header are the session flags. The upper nibble of
the byte is reserved bits and ACK and URG. The lower nibble is SYN, FIN, RST,
and PSH....So, 0x11 = SYN/ACK.
l =
length (in bytes) of the TCP payload.
In
your case, zero, because SYN/ACK's don't
normally carry a payload.
Your
alarm is either (a) a reply from Hotmail to your initial attempt at a connection that go lost; (b) someone
spoofed your address SYN scanning a Hotmail server; or (c) a corrupted packet
that found its way to you....
Hope this helps....
Best
regards,
Sam
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of dcox
Sent: Tuesday, August 28, 2001 1:00 PM
To: [EMAIL PROTECTED]
Subject: IP flag valuesDoes anyone have or know where to get a complete list of IP flags and their relationships? (In the log/email entry below it's the f= value). Also, the I= values... ACK...Danny H. CoxEMAIL NO: 2
DATE: Mon 2001-08-27 11:28:26
TIME: 11:28:26
INTERFACE: (xl0)
ALARM TYPE: Block
IP PACKET: TCP [216.33.236.41/80]-->[xxx.xxx.xxx.xxx/36963] l=0 f=0x11
[g7.law7.hotmail.com/80]-->[xxx.net/36963]
DETAILED DESCRIPTION:
IP packet was rejected.
