[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: bpf, ipfilter, t/tcp, and hell.
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2000-08-26 14:56:53
[Download RAW message or body]

In some email I received from Erik Fichtner, sie wrote:
> Uhm.  Hopefully, someone on here is a bpf rule writing wizard.   I'm not 
> entirely sure that what I want to do can actually be done, but, since 
> ipfilter is soon to support bpf rules as filters, I want to be able to
> distinguish a t/tcp connection attempt from a syn-fin scan attempt.  
> 
> This is proving maddening..    tcp[13]=3 gives us the presence of the syn
> and fin bits.  tcp[12]>20 gives us a hint that we have options tacked on,
> but I don't see any good way to actually find the cc and ccnew options
> which don't appear to have to be in any specific location.
> 
> any ideas?

Hmm.  Seems like I really should add something to allow filtering on
TCP options then.  You're lost with BPF, unfortunately.

Darren

[prev in list] [next in list] [prev in thread] [next in thread]