Understanding of TCP flags

 TCP flags are control bits in the TCP header that manage how TCP connections are established, maintained, and terminated. There are 9 TCP flags in modern TCP:

FlagFull NamePurpose
SYNSynchronizeInitiates a TCP connection and synchronizes sequence numbers.
ACKAcknowledgmentIndicates the acknowledgment field is valid. Used in most TCP packets after connection setup.
FINFinishGracefully terminates a TCP connection.
RSTResetAbruptly terminates or rejects a connection.
PSHPushRequests immediate delivery of data to the receiving application.
URGUrgentIndicates urgent data is present; the Urgent Pointer is valid.
ECEECN EchoUsed with Explicit Congestion Notification (ECN) to indicate network congestion.
CWRCongestion Window ReducedIndicates the sender has reduced its congestion window after receiving an ECE.
NSNonce SumRarely used; supports ECN protection (experimental/obsolete in practice).

Common TCP Flag Combinations

FlagsMeaning
SYNConnection request
SYN, ACKConnection accepted
ACKAcknowledgment of received data
PSH, ACKData should be immediately passed to the application
FIN, ACKGraceful connection termination
RST, ACKForcefully reset the connection

TCP Three-Way Handshake

Client                      Server
| ------ SYN ------------> |
| <---- SYN, ACK --------- |
| ------ ACK ------------> |
Connection Established

TCP Connection Termination (Four-Way Handshake)

Client                      Server
| ------ FIN ------------> |
| <------- ACK ----------- |
| <------ FIN ------------ |
| ------- ACK -----------> |
Connection Closed

TCP Flags in Wireshark

Some common Wireshark representations are:

  • [SYN]
  • [SYN, ACK]
  • [ACK]
  • [PSH, ACK]
  • [FIN, ACK]
  • [RST]

Typical Uses

  • SYN: Start a connection.
  • ACK: Confirm receipt of packets.
  • FIN: Close a connection gracefully.
  • RST: Immediately terminate a connection (e.g., closed port or protocol error).
  • PSH: Deliver data to the application without waiting.
  • URG: Mark urgent data (rarely used today).
  • ECE/CWR: Handle congestion using ECN.
  • NS: Experimental; seldom seen in modern networks.

Understanding these flags is essential for troubleshooting TCP connections, analyzing packet captures, and detecting network scans or attacks such as SYN floods or TCP reset attacks.

Comments

Popular posts from this blog

🖧 VLAN (Virtual Local Area Network)

🌐 NAT (Network Address Translation)

🛰️ OSPF (Open Shortest Path First)