Getting to Know About ICMP (by Tony Fortunato)
ICMP Destination Unreachable (by Tony Fortunato)

Practical TCP Series – TCP Flags (by Chris Greer)

Chris_greerPacket Pioneer Logo Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors.

Chris can be contacted at chris (at) packetpioneer (dot) com.

This is a screenshot of the TCP Flag field in the TCP header:


What are TCP Flags, what does each one do, and how can they help when troubleshooting network problems?  This article will help to answer these questions, and show you why understanding each flag can really help when analyzing a TCP based application.

What are TCP Flags?

During a conversation between client and server, several types of packets are used. Some initiate the connection between the two, some carry data, some are used to only acknowledge data, and others tear connections down. Looking at the 1 byte TCP flag field in a TCP packet will help us to understand the function and purpose of any packet in the connection. When there is a problem, these flags can also help us to figure out what is going on and why.

In the above picture, Wireshark does a great job of automatically highlighting the Flags field. There are a total of 8 flags in the 1 byte flags field, which are “set” by a 1 in the corresponding position. For example, in this picture, the 1 is on the Synchronize bit, which means that this packet is a SYN. At times you may see more than one bit set, as in the case of a SYN/ACK at the beginning of a TCP connection.

The TCP Flags

We will briefly go over each flag and its purpose. There is much that could be written about each flag, but I’ll try to keep it brief and to the point. If you have any extra details you would like to add, please comment at the end of the article.

Congestion Window Reduced - Described in RFC 3168. Only used in TCP connections where Explicit Congestion Notification is used. Rarely seen in most TCP Conversations. ECN allows routers to inform the TCP endpoints that their transmit buffers are filling due to congestion. This allows the TCP endpoints to slow their data transmission to prevent packet loss. The CWR field is set by the sender to show that it received a TCP segment with the ECE flag set.

ECN – Echo – Used only by ECN-TCP connections. The ECN-Echo is sent to inform the other side of the TCP connection that it received an ECN notification from the network. This may trigger a TCP Slow Start. Like the CWR field, this is rarely seen in connections. More detail is available in RFC 3168

Urgent – Simply put, used to indicate that “urgent” data is carried in the packet. The receiving TCP Stack can process the urgent data in this packet immediately.

Acknowledgement – Used to indicate that data has been successfully received. Also used when establishing and tearing down TCP connections. In many cases, every packet in a TCP connection has this flag checked after the initial SYN.

Push – Often set at the end of a block of data, signaling the receiver to process the block of data. This bit can be used to monitor the application blocks on the sending application.

Reset – This bit is used to inform the receiver that the sender has shut this connection down. A reset is an abrupt way to do this, but may be legitimately seen at the end of some TCP connections. Watch for these when experiencing application disconnects.

SYN – This bit is used at the start of the TCP handshake to establish the connection.

FIN – Used to gracefully tear connections down. Each side of the connection sends a FIN, followed by an ACK, then the connection is finished.

How do TCP Flags help when solving problems?

These are few issues that can be tracked down by analyzing the TCP flags in a trace. Using Wireshark, applying the display filter tcp.analysis.flags will display only symptomatic packets. This is a great filter to use when looking at these issues.

SYN Attack – This is a type of denial of service attack where a host sends repeated SYN packets to a server, often on the same port. If the server responds to all these SYNs with a TCP handshake, eventually the server resources will be taken up and it will no longer respond to further SYNs.

Duplicate ACKs – When there is packet loss in a TCP Stream, it is possible to see several duplicate ACKs. When selective acknowledgements are used, the sender of the ACKS (the receiver of the data) will send these to indicate which packet was lost, while acknowledging subsequent packets.

Window Update and Zero Window – These are ACK packets sent to indicate the size of the receive buffer of the host who sent it. If a TCP window is at zero, this informs the other side of the connection that no more room is available in the TCP buffer, and data should stop until further notice. If a station has window problems, data transfer will be slow. More on this in the next article.

Abrupt Resets – If users are being disconnected from an application, check for RST packets. We have seen these sent by incorrectly configured load balancers, as well as applications that are mishandling their TCP stacks.

Understanding the function of each TCP Flag is essential for analyzing application performance problems. The next article in this series will describe TCP Windows, how they work and what impact they can have on performance.

Packet Pioneer Logo

Continue reading other LoveMyTool posts by Chris Greer »