Re: honeyd logs

[Niels Provos <provos () citi umich edu>]

On Wed, Jan 28, 2004 at 04:48:07AM -0800, Thomas Jones wrote:
Content-Description: signed data
> On Tuesday 27 January 2004 09:53 am, Mauricio Smythe wrote:
> > Hi All,
> > Can you sayme please what is the difference beeewn this honeyd logs:
> >
> > 1)    2004-01-16-13:23:14.0175 tcp(6) S xx.xx.xx.xx 32770 yy.yy.yy.yy 80
> > 2)    2004-01-16-13:23:14.0869 tcp(6) E xx.xx.xx.xx 32770 yy.yy.yy.yy 80: 0
> > 0
> >
> > 3)    2004-01-16-14:10:47.0133 tcp(6) -  aa.aa.aa.aa 1025 bb.bb.bb.bb 1133:
> > 40 RA
> >
> > In 1) what that mean the "S"
>
> Let me see if i can decipher them for you!?
> "S" = SYN flag set
>
> > In 2) what that mean the "E" and why its ends whith 80: 0  0, different
> > than the fist one
> "E" = ECN flag set
> "0" = Type 0 codepoint for the ECT?
>
> > In 3) what that mean the "-" and the 40 RA
> "-"= no flags
> "RA" = RST and ACK flags set

Actually, S stands for start of connection and E stands for end of
connection.  The first 0 is number of bytes received and the second
0 is number of bytes sent.

Niels.