On Sunday 28 April 2002 10:45 pm, Simon Oosthoek wrote: > Hi again > > sorry for the reply to my own post, but I thought I'd add some additional > data... > > I'm seeing bad new connections from the server itself with these options: > PROTO=TCP SPT=80 DPT=57520 WINDOW=16896 RES=0x00 ACK URGP=0 > > I'm also seeing bad new connections with these flags: > PROTO=TCP SPT=2218 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > PROTO=TCP SPT=2382 DPT=80 WINDOW=8576 RES=0x00 ACK FIN URGP=0 > PROTO=TCP SPT=49252 DPT=80 WINDOW=33120 RES=0x00 ACK RST URGP=0
Why do you say there are "new" connections ? The first one (from a server to a client - all the others are from client to server) has the ACK flag (only) set - which means it is part of an ongoing connection stream. There must have been an initial SYN, and a replying SYN/ACK (and possibly quite a few ACK-only packets) before this one... Your second example is a RST packet - this can happen any time during a conversation between client and server, and basically means that one of them (or possibly a router in between) is tearing down the connection before it was due to complete. The third one shows the completion of a connection - typically the machine wishing to end the connection sends a FIN/ACK, and the other end responds with a FIN/ACK to acknowledge it. I can't offhand recall what the fourth example packets (ACK/RST) means, but I don't think it's an unusual one. The onyl thing which strikes me as unusual about all of these is the concept that they could be "new" connections. In my mind, "new" can only mean the initial SYN packet, and possibly the responding SYN/ACK depending on your definitions. Once packets with ACK-only start flowing, the connection qualifies as "established". Regards, Antony.
