Ask Your Question
0

tcp.flags.str explanation

asked 2020-04-07 12:51:38 +0000

alohawireshark gravatar image

Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and searched the RFCs without luck. I am a data scientist without a networking background, working with networking data.

For example, what does xc2 mean in the following?

<field name="tcp.flags.str" showname="TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" size="2" pos="46" show="\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" value="5010"/>
edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2020-04-07 13:37:47 +0000

cmaynard gravatar image

updated 2020-04-07 13:49:01 +0000

The TCP Flags is a Unicode string, and rather than being shown as "TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7", it should be displayed as: "TCP Flags: ·······A····". This just means that the ACK bit, and only the ACK bit, is set in the TCP flags field.

By the way, the value="5010" also tells you this same information; however, it's showing you not only the TCP flags, but also the header length (in number of 32-bit words). If you rewrite the value in binary, you get:

5   010
101 000000010000

... so 5 is the header length in 32-bit words, in other words 20 bytes, and the remaining data represents the TCP flags, all of which are 0 except for the ACK bit.

See RFC 793 for a better diagram of these fields (although note that more flags were defined in subsequent RFC's, so RFC 793 doesn't depict all of them.)

edit flag offensive delete link more
add a comment
0

answered 2020-04-07 13:36:15 +0000

grahamb gravatar image

updated 2020-04-07 13:39:49 +0000

If you look at the expansion of a TCP header, Flags field, in the packet details pane you can see the entry displayed as:

[TCP Flags: ··········S·]

where the "·" represents the flags not set and the "S" represents (in this case) the SYN flag being set in the TCP header flags field. The display uses the initial letter of the flag "name" if it's set, e.g. "A" for Acknowledgement The square brackets indicate that this is a Wireshark synthesised item and isn't part of the protocol.

In the output, "\x" indicates an escape for a following hex value, so "\xc2" is the hex value 0xc2. These are actually UTF-8 characters, so they have to be combined as 0xc0 indicates a 2 byte UTF-8 character giving 0xc2b7 which is the UTF-8 representation of the Unicode point U+00B7 which is a "middle dot". In the middle of the string you can see an "A". This is the UTF-8 representation of an "A".

edit flag offensive delete link more

Comments

thank you. your answer was helpful as well. i lack the reputation to upvote it though.

alohawireshark gravatar imagealohawireshark ( 2020-04-07 14:13:02 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-07 12:51:38 +0000

Seen: 3,094 times

Last updated: Apr 07 '20

Related questions

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources

Monitoring UDP data on wireshark shows ARP packet