[Oisf-users] a question about session detection

Anoop Saldanha anoopsaldanha at gmail.com
Sun Jan 17 05:22:01 UTC 2016


On Fri, Jan 15, 2016 at 1:06 PM, Andreas Herz <andi at geekosphere.org> wrote:
> On 14/01/16 at 09:40, Risto Vaarandi wrote:
>> When connecting to port 8023/tcp on a host which responds with RST-ACK
>> packet to the connection attempt, a repeated SYN-packet from the
>> client with the same source port number triggers this signature.
>> Previously, I was thinking that only the exchange of SYN and SYN-ACK
>> packets will mark the connection as established, but apparently it
>> also happens when SYN and RST-ACK are exchanged. Is this expected
>> behavior?
>
> I may be wrong and it may also depend on the underlaying system, but the
> RST-ACK response might be enough to go into the ESTABLISHED state.
>
> Could you check, if it's linux, what the conntrack state is?
>

Wrt, flow: established, if a flow has seen packets in both directions,
the packets of the flow would then be tagged as established.  It's not
related to the tcp state.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-users mailing list