Skip to Content

Understanding PSH ACK TCP Flags

PSH and ACK are tcp flags in the TCP protocol. These TCP flags are ways for TCP to communicate between clients and servers.

PSH (push) flag indicates that the incoming data should be passed on directly to the application instead of getting buffered.

ACK (acknowledgment) flag is used to confirm that the data packets have been received, also used to confirm the initiation request and tear down requests. Once a TCP session has been created, every packet contains an ACK flag.

  • PSH Flag in TCP
  • ACK Flag in TCP
  • Capture PSH ACK Packets with Tcpdump

 

PSH Flag in TCP

The Push flag usually means that data has been sent whilst overriding an in-built TCP efficiency delay, such as Nagle’s Algorithm or Delayed Acknowledgements.

These delays make TCP networking more efficient at the cost of some latency (usually around a few tens of milliseconds). A latency-sensitive application does not want to wait around for TCP’s efficiency delays so the application will usually disable them, causing data to be sent as quickly as possible with a Push flag set.

The PSH flag (push) is used to tell the client/server to go ahead and send what data it has to the receiving application even if its buffer hasn’t filled up. This is usually sent at the end of transmission so the recipient system won’t sit around waiting for data to fill the buffer when it isn’t coming.

ACK Flag in TCP

ACK (Acknowledgment field is significant). This indicates that the Acknowledgment field contains the next byte expected on the connection. The ACK flag is always set, except for the first segment of a TCP connection establishment.

Capture PSH ACK Packets with Tcpdump

We can use tcpdump to filter packets with flags.

Here are the numbers which match with the corresponding TCP flags.

URG ACK PSH RST SYN FIN
32 16 8 4 2 1

The following command is to filter Psh Ack flags. PSH + ACK=8+16=24

  • tcpdump -i any tcp[tcpflags]==24

This is the output. [P.] means psh flag and ack flag.

11:53:56.748105 IP 40.100.29.194.https > 10.79.98.55.62947: Flags [P.], seq 5758:5814, ack 6948, win 2052, length 56
11:53:56.748287 IP 40.100.29.194.https > 10.79.98.55.62947: Flags [P.], seq 5814:6273, ack 6948, win 2052, length 459
11:53:56.748448 IP 40.100.29.194.https > 10.79.98.55.62947: Flags [P.], seq 6683:6875, ack 6948, win 2052, length 192

Tcpdump: Filter Packets with Tcp Flags

20 Advanced Tcpdump Examples in Linux

Related:

Linux Troubleshooting Guide:

Linux Learning Guide: