| # |
TCP Field |
Normalization Performed |
| 1 |
Seq Num |
Enforce data consistency in retransmitted segments. |
| 2 |
Seq Num |
Trim data to window. |
| 3 |
Seq Num |
Cold-start: trim to keep-alive. |
| 4 |
Ack Num |
Drop ACK above sequence hole. |
| 5 |
SYN |
Remove data if SYN=1. |
| 6 |
SYN |
If SYN=1 & RST=1, drop. |
| 7 |
SYN |
If SYN=1 & FIN=1, clear FIN. |
| 8 |
SYN |
If SYN=0 & ACK=0 & RST=0, drop. |
| 9 |
RST |
Remove data if RST=1. |
| 10 |
RST |
Make RST reliable. |
| 11 |
RST |
Drop if not in window. |
| 12 |
FIN |
If FIN=1 & ACK=0, drop. |
| 13 |
PUSH |
If PUSH=1 & ACK=0, drop. |
| 14 |
Header Len |
Drop if less than 5. |
| 15 |
Header Len |
Drop if beyond end of packet. |
| 16 |
Reserved |
Clear. |
| 17 |
ECE, CWR |
Optionally clear. |
| 18 |
ECE, CWR |
Clear if not negotiated. |
| 19 |
Window |
Remove window withdrawals. |
| 20 |
Checksum |
Verify, drop if incorrect. |
| 21 |
URG,urgent |
Zero urgent if URG not set. |
| 22 |
URG,urgent |
Zero if urgent > end of packet. |
| 23 |
URG |
If URG=1 & ACK=0, drop. |
| 24 |
MSS option |
If SYN=0, remove option. |
| 25 |
MSS option |
Cache option, trim data to MSS. |
| 26 |
WS option |
If SYN=0, remove option. |
| 27 |
SACK pmt'd |
If SYN=0, remove option. |
| 28 |
SACK opt |
Remove option if length invalid. |
| 29 |
SACK opt |
Remove if left edge of SACK block > right edge. |
| 30 |
SACK opt |
Remove if any block above highest seq. seen. |
| 31 |
SACK opt |
Trim any block(s) overlapping or continguous to cumulative acknowledgement point. |
| 32 |
T/TCP opts |
Remove if NIDS doesn't support. |
| 33 |
T/TCP opts |
Remove if under attack. |
| 34 |
TS option |
Remove from non-SYN if not negotiated in SYN. |
| 35 |
TS option |
If packet fails PAWS test, drop. |
| 36 |
TS option |
If echoed timestamp wasn't previously sent, drop. |
| 37 |
MD5 option |
If MD5 used in SYN, drop non-SYN packets without it. |
| 38 |
other opts |
Remove options. |
