THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tcp.flags.str explanation

Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and searched the RFCs without luck. I am a data scientist without a networking background, working with networking data.

For example, what does xc2 mean in the following?

<field name="tcp.flags.str" showname="TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" size="2" pos="46" show="\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" value="5010"/>
alohawireshark's avatar
7
alohawireshark
asked 2020-04-07 12:51:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

If you look at the expansion of a TCP header, Flags field, in the packet details pane you can see the entry displayed as:

[TCP Flags: ··········S·]

where the "·" represents the flags not set and the "S" represents (in this case) the SYN flag being set in the TCP header flags field. The display uses the initial letter of the flag "name" if it's set, e.g. "A" for Acknowledgement The square brackets indicate that this is a Wireshark synthesised item and isn't part of the protocol.

In the output, "\x" indicates an escape for a following hex value, so "\xc2" is the hex value 0xc2. These are actually UTF-8 characters, so they have to be combined as 0xc0 indicates a 2 byte UTF-8 character giving 0xc2b7 which is the UTF-8 representation of the Unicode point U+00B7 which is a "middle dot". In the middle of the string you can see an "A". This is the UTF-8 representation of an "A".

grahamb's avatar
23.8k
grahamb
answered 2020-04-07 13:36:15 +0000, updated 2020-04-07 13:39:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

thank you. your answer was helpful as well. i lack the reputation to upvote it though.

alohawireshark's avatar alohawireshark (2020-04-07 14:13:02 +0000) edit
more
  • delete
add a comment see more comments
0

The TCP Flags is a Unicode string, and rather than being shown as "TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7", it should be displayed as: "TCP Flags: ·······A····". This just means that the ACK bit, and only the ACK bit, is set in the TCP flags field.

By the way, the value="5010" also tells you this same information; however, it's showing you not only the TCP flags, but also the header length (in number of 32-bit words). If you rewrite the value in binary, you get:

5   010
101 000000010000

... so 5 is the header length in 32-bit words, in other words 20 bytes, and the remaining data represents the TCP flags, all of which are 0 except for the ACK bit.

See RFC 793 for a better diagram of these fields (although note that more flags were defined in subsequent RFC's, so RFC 793 doesn't depict all of them.)

cmaynard's avatar
11.1k
cmaynard
answered 2020-04-07 13:37:47 +0000, updated 2020-04-07 13:49:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer