Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-04-12 18:14:14 +0000

Guy Harris gravatar image

Those are TCP packets for some protocol that tcpdump doesn't dissect (HTTP-over-SSL/TLS, probably, given that they're to and from port 443), so, after the IP addresses, the TCP flags are printed. They are:

  • F - FIN
  • S - SYN
  • R - RST
  • P - PSH
  • U - URG
  • E - ECN Echo
  • W - ECN Cwnd Reduced

If it's blank, no flags are set (which should never happen); if it's just a ".", it's an ACK-only packet (as everything except for the initial SYN should have ACK set, ACK isn't reported except for ACK-only packets).

ECN is Explicit Congestion Notification, specified in RFC 3168.

So:

  • "SWE" has SYN+ECN Echo+ECN Cwnd Reduced; it's an initial SYN, and is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN packet". It indicates that the host sending the packet supports ECN.
  • "E" has SYN+ECN Echo set; it probably also has ACK set (as per the "ack" field in the packet), so it's a SYN+ACK response to the initial SYN, and it is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN-ACK packet". It indicates that the host sending the packet supports ECN.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2