Hi, In Mac OS X when I spoof a packet to it it prints somethign like this in the netstat -na:
----- Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.180.64.22 20.20.20.20.29991 SYN_RCVD tcp4 0 0 192.168.180.64.22 20.20.20.20.29999 SYN_RCVD ----- When I do the same to an OpenBSD host between 5.5 and 6.0 (I couldn't look further back due to newish hardware sorry), I noticed that no such state is written. However pfctl -ss picks it up but netstat is silent. Let me give you an example: ---- # pfctl -ss | grep 20.20.20 && netstat -na|grep 20.20.20 all tcp 192.168.34.4:22 <- 20.20.20.20:19999 SYN_SENT:ESTABLISHED ---- I'm unaware of this ever working on OpenBSD but it could be that it once did. Absolute OpenBSD by Michael W. Lucas (second edition) on page 201 mentions the SYN_RCVD state, so he must have seen it at one point. Also the state diagram of RFC 793 page 23, shows more on this matter. So my question really is: Why was this functionality removed from OpenBSD at some point? When did that happen? And why did it happen? I saw mention of SYN_RCVD in 1 comment of the netinet/tcp_input.c file, but that was a long time ago and dealt with IPv6. Regards, -peter
