[Oisf-users] a question about session detection

Andreas Herz andi at geekosphere.org
Fri Jan 15 21:06:01 UTC 2016

On 14/01/16 at 09:40, Risto Vaarandi wrote:
> When connecting to port 8023/tcp on a host which responds with RST-ACK
> packet to the connection attempt, a repeated SYN-packet from the
> client with the same source port number triggers this signature.
> Previously, I was thinking that only the exchange of SYN and SYN-ACK
> packets will mark the connection as established, but apparently it
> also happens when SYN and RST-ACK are exchanged. Is this expected
> behavior?

I may be wrong and it may also depend on the underlaying system, but the
RST-ACK response might be enough to go into the ESTABLISHED state.

Could you check, if it's linux, what the conntrack state is?

Andreas Herz

More information about the Oisf-users mailing list