> The only really questionable flag is the RST where some TCP/IP stacks will > send packets with the RST flag set if they mistakenly receive a packet that > was not destined to them. This is i > mplementation dependent and not clearly defined in RFCs and thus a matter > of some confusion. I haven't read this in RFC 793 myself. However, I've read other docs /about/ RFC 793 that state that RFC 793 mandates closed ports *must* send an RST in response to packets. This is the basis for at least some of stealth scans like FIN, Xmas and NULL IIRC. It is true that different stacks don't follow the RFC in this area. MS Windows does not do the proper thing in this area. This is why the /absense/ of the RST from a closed port is one way to do OS fingerprinting! If every OS followed the RFC in this area there would not be so much confusion if I understand things correctly. Cheers, Chris
