ra output intrepretation

[Russell Fulton]

HI Carter,
	  Thanks for your comprehensive answer to my query. 

I think that the first packet to port 80 may have had fin flag set thus 
is label EST by ra in detail mode (that is really what I wanted to 
know) and I had forgotten that it would go right through the filter 
which does only block syn packets. This is, of course, the main purpose 
of using fin scans.

I have a slightly modified version of ra that I use for detecting 
scans,  I will add some logic to it to report connections consisting of 
lone fin or fin and rst.

Cheers, Russell.