TCP keep alive will send an ack with no payload for the previous octet
in the stream....
-- Cheers
-- James
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone
> Sent: Thursday, June 27, 2002 12:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: detection of the third tcp packet in a tcp
> connection setup
>
>
> On Thursday 27 June 2002 8:10 pm, Joe Patterson wrote:
>
> > catching the third packet is easy. The hard part is to
> both catch the
> > third packet and *not* catch all of the rest of the ack packets.
> >
> > There are some distinguishing characteristics... it is the first
> > packet sent by the client that is in state ESTABLISHED. it should
> > have ACK set and no other flags. the tcp data length
> should be zero.
>
> Isn't that in itself a bit of a giveaway ? I can't think of
> a reason why a
> zero-length packet should ever occur in the remainder of the
> data stream... ?
>
> There's a -m length --length <min>:<max> match somewhere, but
> I'm not sure if
> it's in the standard build or p-o-m
>
>
>
> Antony.
>
>
