On Thursday 27 June 2002 8:10 pm, Joe Patterson wrote: > catching the third packet is easy. The hard part is to both catch the > third packet and *not* catch all of the rest of the ack packets. > > There are some distinguishing characteristics... it is the first packet > sent by the client that is in state ESTABLISHED. it should have ACK set > and no other flags. the tcp data length should be zero.
Isn't that in itself a bit of a giveaway ? I can't think of a reason why a zero-length packet should ever occur in the remainder of the data stream... ? There's a -m length --length <min>:<max> match somewhere, but I'm not sure if it's in the standard build or p-o-m Antony.
