Ask Your Question
0

tcp.flags.str explanation

asked 2020-04-07 12:51:38 +0000

alohawireshark gravatar image

Is there an explanation or mapping of TCP flags (tcp.flags.str) somewhere? I have Googled and searched the RFCs without luck. I am a data scientist without a networking background, working with networking data.

For example, what does xc2 mean in the following?

<field name="tcp.flags.str" showname="TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" size="2" pos="46" show="\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7" value="5010"/>
edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2020-04-07 13:37:47 +0000

cmaynard gravatar image

updated 2020-04-07 13:49:01 +0000

The TCP Flags is a Unicode string, and rather than being shown as "TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7", it should be displayed as: "TCP Flags: ·······A····". This just means that the ACK bit, and only the ACK bit, is set in the TCP flags field.

By the way, the value="5010" also tells you this same information; however, it's showing you not only the TCP flags, but also the header length (in number of 32-bit words). If you rewrite the value in binary, you get:

5   010
101 000000010000

... so 5 is the header length in 32-bit words, in other words 20 bytes, and the remaining data represents the TCP flags, all of which are 0 except for the ACK bit.

See RFC 793 for a better diagram of these fields (although note that more flags were defined in subsequent RFC's, so RFC 793 doesn't depict all of them.)

edit flag offensive delete link more
0

answered 2020-04-07 13:36:15 +0000

grahamb gravatar image

updated 2020-04-07 13:39:49 +0000

If you look at the expansion of a TCP header, Flags field, in the packet details pane you can see the entry displayed as:

[TCP Flags: ··········S·]

where the "·" represents the flags not set and the "S" represents (in this case) the SYN flag being set in the TCP header flags field. The display uses the initial letter of the flag "name" if it's set, e.g. "A" for Acknowledgement The square brackets indicate that this is a Wireshark synthesised item and isn't part of the protocol.

In the output, "\x" indicates an escape for a following hex value, so "\xc2" is the hex value 0xc2. These are actually UTF-8 characters, so they have to be combined as 0xc0 indicates a 2 byte UTF-8 character giving 0xc2b7 which is the UTF-8 representation of the Unicode point U+00B7 which is a "middle dot". In the middle of the string you can see an "A". This is the UTF-8 representation of an "A".

edit flag offensive delete link more

Comments

thank you. your answer was helpful as well. i lack the reputation to upvote it though.

alohawireshark gravatar imagealohawireshark ( 2020-04-07 14:13:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-07 12:51:38 +0000

Seen: 3,186 times

Last updated: Apr 07 '20