Re: Strange TCP RSTs -- CWR bit?

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Richard Bejtlich wrote:
> Hi all,
>
> Crist, I don't think tcpdump is lying.  According to
> RFC 2481 (A Proposal to add Explicit Congestion
> Notification [ECN] to IP), bit 8 of the TCP reserved
> field is indeed designated the Congestion Window
> Reduced (CWR) bit.  See
> http://www.faqs.org/rfcs/rfc2481.html for more on
> ECN or http://www.faqs.org/rfcs/rfc793.html for the
> TCP header format with the bits clearly explained.
> This CWR bit can also be thought of as being two
> bits left of the URG flag.

I was not clear. When I said tcpdump was "lying," I did not mean to
say that it was broken.

Yes, that is the bit used for CWR. But what I meant by "lying" is that,
no, that is not a valid CWR flag. This is for several reasons: ECN
was not agreed upon for use during the initial handshake, the ECT bit
in the IP header was not set during any of the transactions, no ECN-Echo
was ever sent during the session, and finally (but I may be a little
foggy on this) I do not believe a CWR can be pared with a RST (at least
it makes no sense to).

But yes, you can't really blame tcpdump for this just as you cannot
blame tcpdump when it tells you the truth about any other packet which
has a bogus combination of TCP flags.

Sorry if that was confusing.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com