Understanding PSH ACK TCP Flags

Updated: Sep 4

PSH and ACK are tcp flags in the TCP protocol. These TCP flags are ways for TCP to communicate between clients and servers.

PSH (push) flag indicates that the incoming data should be passed on directly to the application instead of getting buffered.

ACK (acknowledgment) flag is used to confirm that the data packets have been received, also used to confirm the initiation request and tear down requests. Once a TCP session has been created, every packet contains an ACK flag.


PSH Flag in TCP

The Push flag usually means that data has been sent whilst overriding an in-built TCP efficiency delay, such as Nagle's Algorithm or Delayed Acknowledgements.

These delays make TCP networking more efficient at the cost of some latency (usually around a few tens of milliseconds). A latency-sensitive application does not want to wait around for TCP's efficiency delays so the application will usually disable them, causing data to be sent as quickly as possible with a Push flag set.

The PSH flag (push) is used to tell the client/server to go ahead and send what data it has to the receiving application even if its buffer hasn't filled up. This is usually sent at the end of transmission so the recipient system won't sit around waiting for data to fill the buffer when it isn't coming.


ACK Flag in TCP

ACK (Acknowledgment field is significant). This indicates that the Acknowledgment field contains the next byte expected on the connection. The ACK flag is always set, except for the first segment of a TCP connection establishment.

Capture PSH ACK Packets with Tcpdump

We can use tcpdump to filter packets with flags.

Here are the numbers which match with the corresponding TCP flags.

URG     ACK     PSH     RST     SYN     FIN
32      16      8       4       2       1

The following command is to filter Psh Ack flags. PSH + ACK=8+16=24

tcpdump -i any tcp[tcpflags]==24 

This is the output. [P.] means psh flag and ack flag.

11:53:56.748105 IP > Flags [P.], seq 5758:5814, ack 6948, win 2052, length 56
11:53:56.748287 IP > Flags [P.], seq 5814:6273, ack 6948, win 2052, length 459
11:53:56.748448 IP > Flags [P.], seq 6683:6875, ack 6948, win 2052, length 192


20 Advanced Tcpdump Examples On Linux

Understanding TCP Flags

10 Useful tcpdump command examples

Linux Troubleshooting Guide:

Linux Learning Guide:

屏幕快照 2021-08-08 下午5.16.32.png