On Sat, Jun 04, 2016 at 12:35:58AM +0200, Peter J. Philipp wrote: > Hi, > > In Mac OS X when I spoof a packet to it it prints somethign like this in > the netstat -na: > > ----- > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address > (state) > tcp4 0 0 192.168.180.64.22 20.20.20.20.29991 > SYN_RCVD > tcp4 0 0 192.168.180.64.22 20.20.20.20.29999 > SYN_RCVD > ----- > > When I do the same to an OpenBSD host between 5.5 and 6.0 (I couldn't > look further back due to newish hardware sorry), I noticed that no such > state is written. > > However pfctl -ss picks it up but netstat is silent. Let me give you an > example: > > ---- > # pfctl -ss | grep 20.20.20 && netstat -na|grep 20.20.20 > all tcp 192.168.34.4:22 <- 20.20.20.20:19999 SYN_SENT:ESTABLISHED > ---- > > I'm unaware of this ever working on OpenBSD but it could be that it once > did. Absolute OpenBSD by Michael W. Lucas (second edition) on page 201 > mentions the SYN_RCVD state, so he must have seen it at one point. > > Also the state diagram of RFC 793 page 23, shows more on this matter. > > So my question really is: Why was this functionality removed from > OpenBSD at some point? When did that happen? And why did it happen? I > saw mention of SYN_RCVD in 1 comment of the netinet/tcp_input.c file, > but that was a long time ago and dealt with IPv6. >
OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a lot of work to create a full socket in case of synfloods, etc. These unhatched sockets do not show up in the netstat output. Maybe they should be added but this is the first request that asks for them in the 10+ years we use the syncache. -- :wq Claudio
