NT Predictable Initial TCP Sequence numbers: SP5 update

[Roy.Hills () NTA-MONITOR COM (Roy Hills)]

As an update to my post about NT Predictable Initial TCP Sequence numbers
in NT 4 SP4 on 24 August, I've finally got around to running the TCP sequence
number tests on NT 4.0 SP5.  Here are my findings:

SP5 has the same "one-per-millisecond" increment pattern as SP3 and previous
releases.  So it appears that the change introduced in SP4 to make the
initial TCP sequence less predictable (but which didn't help and may have
even made the sequence _more_ predictable - see my previous post for details)
was taken out of SP5.

I've also recently seen a totally different NT initial TCP sequence number
pattern which consists of small positive increments (just like SP4) multiplied
by 64,000.  I think that this could be a post-SP4 hotfix, but I haven't
confirmed
this yet.  I'll post an update when I have more information about this.

Roy Hills
NTA Monitor Ltd

--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/