What are TCP Flags?
TCP flags are used within TCP packet transfers to indicate a particular connection state or provide additional information. Therefore, they can be used for troubleshooting purposes or to control how a particular connection is handled. There are a few TCP flags that are much more commonly used than others as such “SYN”, “ACK”, and “FIN”. However, in this post, we’re going to go through the full list of TCP flags and outline what each one is used for.
List of TCP Flags
Each TCP flag corresponds to 1 bit in size. The list below describes each flag in greater detail. Additionally, check out the corresponding RFC section attributed to certain flags for a more comprehensive explanation.
- SYN - The SYN, or Synchronisation flag, is used as a first step in establishing a 3-way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set. The following diagram illustrates a 3-way handshake process.
- ACK - The ACK flag, which stands for “Acknowledgment”, is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK as well as a SYN in the second step of the 3-way handshake process to tell the sender that it received its initial packet.
- FIN - The FIN flag, which stands for “Finished”, means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.
- URG - The URG flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.
- PSH - The PSH flag, which stands for “Push”, is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.
- RST - The RST flag, which stands for “Reset”, gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.
- ECE - This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.
- CWR - The CWR flag, which stands for Congestion Window Reduced, is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.
- NS (experimental) - The NS flag, which stands for Nonce Sum, is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details.
Analyzing TCP Flags in the CLI
You can view which TCP flags are being used for every TCP packet directly from within your command line interface. To do so, you need to run a
tcpdump. This needs to be done by a root user so if you don’t have root access, try running the following:
This will allow you to analyze all packets being sent and will display packets containing any of the TCP flags. However, if you would like to run a tcpdump only on packets containing a certain flag you can use one of the following commands.
sudo tcpdump 'tcp & 16 != 0'
sudo tcpdump 'tcp & 2 != 0'
sudo tcpdump 'tcp & 1 != 0'
sudo tcpdump 'tcp & 32 != 0'
sudo tcpdump 'tcp & 8 != 0'
sudo tcpdump 'tcp & 4 != 0'
Knowing your TCP flags can be quite useful for troubleshooting purposes. If you need to quickly analyze your TCP packets, it’s easy to run a
tcpdump command for a particular flag and then retrieve the results you require. Be sure to check out the RFC section of any of the corresponding TCP flags above to go into even greater detail of what each one is used for and how it works.