tcpdump.png

Understanding TCP Flags

Updated: Jun 14

TCP flags are used to indicate a particular state during a TCP conversation. TCP flags can be used for troubleshooting purposes or to control how a particular connection is handled.


TCP flags are various types of flag bits present in the TCP header. Each of them has its own significance. They initiate connections, carry data, and tear down connections. The commonly used TCP flags are syn, ack, rst, fin, urg, psh. We will discuss the details later.





TCP Flags List

  • SYN (synchronize): Packets that are used to initiate a connection.

  • ACK (acknowledgment): Packets that are used to confirm that the data packets have been received, also used to confirm the initiation request and tear down requests

  • RST (reset): Signify the connection is down or maybe the service is not accepting the requests

  • FIN (finish): Indicate that the connection is being torn down. Both the sender and receiver send the FIN packets to gracefully terminate the connection

  • PSH (push): Indicate that the incoming data should be passed on directly to the application instead of getting buffered

  • URG (urgent): Indicate that the data that the packet is carrying should be processed immediately by the TCP stack



TCP: ..0..... = No urgent data  
TCP: ...0.... = Acknowledgement field not significant  
TCP: ....0... = No Push function  
TCP: .....0.. = No Reset  
TCP: ......1. = Synchronize sequence numbers  
TCP: .......0 = No Fin

Here are the numbers which match with the corresponding TCP flags.

URG     ACK     PSH     RST     SYN     FIN
32      16      8       4       2       1

TCP flags can be combined together to make TCP data transfer efficiently like ack-psh in one TCP segment. We can use tcpdump to filter packets with TCP flags.


TCP Flags For 3 Way Handshake

SYN and ACK TCP flags are used for TCP 3 way handshake to establish connections.

  • SYN (Synchronize sequence number). This indicates that the segment contains an ISN. During the TCP connection establishment process, TCP sends a TCP segment with the SYN flag set. Each TCP peer acknowledges the receipt of the SYN flag by treating the SYN flag as if it were a single byte of data. The Acknowledgment Number field for the acknowledgment of the SYN segment is set to ISN + 1.

  • ACK (Acknowledgment field is significant). This indicates that the Acknowledgment field contains the next byte expected on the connection. The ACK flag is always set, except for the first segment of a TCP connection establishment.

TCP uses a three-way handshake to establish a reliable connection. The connection is full-duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these flags is performed in three steps: SYN, SYN-ACK, ACK.



TCP Flags For Normal Data Transfer Connection

URG and PSH are used during data transfer.

  • URG (Urgent Pointer field is significant). Indicates that the segment portion of the TCP segment contains urgent data and the Urgent Pointer field should be used to determine the location of the urgent data in the segment.

  • PSH (the Push function). Indicates that the contents of the TCP receive buffer should be passed to the Application Layer protocol. The data in the receive buffer must consist of a contiguous block of data from the left edge of the buffer. In other words, there cannot be any missing segments of the byte stream up to the segment containing the PSH flag; the data cannot be passed to the Application Layer protocol until missing segments arrive. Normally, the TCP receive buffer is flushed (the contents are passed to the Application Layer protocol) when the receive buffer fills with contiguous data or during normal TCP connection maintenance processes. The PSH flag overrides this default behavior and immediately flushes the TCP receive buffer. The PSH flag is used also for interactive Application Layer protocols such as Telnet, in which each keystroke in the virtual terminal session is sent with the PSH flag set. Another example is the setting of the PSH flag on the last segment of a file transferred with FTP. Data sent with the PSH flag does not have to be immediately acknowledged.




TCP Flags For Aborting Connections

RST is used to abort connections. It is very useful to troubleshoot a network connection problem.


  • RST (Reset the connection). Indicates that the connection is being aborted. For active connections, a node sends a TCP segment with the RST flag in response to a TCP segment received on the connection that is incorrect, causing the connection to fail. The sending of an RST segment for an active connection forcibly terminates the connection, causing data stored in send and receive buffers or in transit to be lost. For TCP connections being established, a node sends an RST segment in response to a connection establishment request to deny the connection attempt.




TCP Flags For Terminating Connection

FIN TCP flag is used to terminate TCP connection.


  • FIN (Finish sending data). Indicates that the TCP segment sender is finished sending data on the connection. When a TCP connection is gracefully terminated, each TCP peer sends a TCP segment with the FIN flag set. A TCP peer does not send a TCP segment with the FIN flag set until all outstanding data to the other TCP peer has been sent and acknowledged. Each peer acknowledges receipt of the FIN flag by treating it as if it were a single byte of data. When both TCP peers have sent segments with the FIN flag set and received acknowledgment of their receipt, the TCP connection is terminated.



3 Additional TCP Flags

These CWR ECE NS TCP flags are not commonly used.

  • CWR (congestion window has been reduced). Indicates that the sending host has received a TCP segment with the ECE flag set. The congestion window is an internal variable maintained by TCP to manage the size of the send window.

  • ECE (TCP peer is ECN-capable). Indicates that a TCP peer is ECN-capable during the TCP 3-way handshake and to indicate that a TCP segment was received on the connection with the ECN field in the IP header set to 11.

  • NS (1 bit): ECN-nonce - concealment protection


Related:




745 views

Join our newsletter! Get a free cloud server!  Never miss a post!

Thanks for submitting!