> Does it work this way? > src sends SYN => tcp.first > dst sends SYN+ACK => tcp.opening > src send ACK+data => tcp.established > which seems logical to me. > If so then it is not clear from the manpage.
Yes. The description is generic because we also allow you to infer states from pre-existing connections. > I.e which timeout should I tweak to protect against synfloods? Tweak tcp.first. And you might want to tweak tcp.closed if the flooded host is sending back tcp resets to the SYNs. > An hour seems way too long to keep state for a SYN. It is an hour in the conservative optimization setting. It is two minutes by default and goes down to 30 seconds for the aggressive optimization or two minutes. .mike
