[Oisf-users] a question about session detection

Anoop Saldanha anoopsaldanha at gmail.com
Sun Jan 17 05:22:01 UTC 2016

On Fri, Jan 15, 2016 at 1:06 PM, Andreas Herz <andi at geekosphere.org> wrote:
> On 14/01/16 at 09:40, Risto Vaarandi wrote:
>> When connecting to port 8023/tcp on a host which responds with RST-ACK
>> packet to the connection attempt, a repeated SYN-packet from the
>> client with the same source port number triggers this signature.
>> Previously, I was thinking that only the exchange of SYN and SYN-ACK
>> packets will mark the connection as established, but apparently it
>> also happens when SYN and RST-ACK are exchanged. Is this expected
>> behavior?
> I may be wrong and it may also depend on the underlaying system, but the
> RST-ACK response might be enough to go into the ESTABLISHED state.
> Could you check, if it's linux, what the conntrack state is?

Wrt, flow: established, if a flow has seen packets in both directions,
the packets of the flow would then be tagged as established.  It's not
related to the tcp state.

Anoop Saldanha

More information about the Oisf-users mailing list