catching the third packet is easy. The hard part is to both catch the third packet and *not* catch all of the rest of the ack packets.
There are some distinguishing characteristics... it is the first packet sent by the client that is in state ESTABLISHED. it should have ACK set and no other flags. the tcp data length should be zero. Probably Patrick's idea of the CONNMARK patch is best. Mark the connection when you see a syn-ack in state established. Then when you see an ack packet that is marked, you unmark the connection and do with it what you wish. Actually, unmark is probably the wrong term. As I understand it, all packets have a mark, it's just 0x0 unless it's been specifically set. So, mark it as some arbitrary value when you see the syn-ack established, and then mark it as 0 when you see established with the arbitrary mark value. That should work. Probably the best solution you're likely to get. -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Ramin Alidousti > Sent: Thursday, June 27, 2002 2:28 PM > To: [EMAIL PROTECTED] > Subject: detection of the third tcp packet in a tcp connection setup > > > Hi, > > Does anyone have a good solution to catch the third (ACK) packet > in a tcp connection setup? > > Ramin > > >
