TCP flags

[Russell Fulton]

CS Lee wrote:
> Russell,
>
> Thanks, I'm looking at the output and thinking the right one should be
> -Z as there are only 2 packets in the flow. 
The -Z is correct.  The -z is a guess at the TCP states not a record of
the the tcpflags.  I added it because at the time argus did not record
the flags themselves.
> But how about primitives specific supported TCP flows, I'm trying to
> use it to filter all the necessary flow that I need and using synack
> returns fin+ack and fin flow don't seem to be right.
I don't understand what it is you are trying to do, can you give an example.
>
> I think tcp flags state is very important when comes to debugging
> certain traffics thus it should be done correctly especially in
> upcoming 3.x.
>
So far as I know the tcpflag reporting in argus is fine.  I have used it
extensively.

Russell