INFS3450/INFS6230/INFS6760 – Number Representation – Flags 2

Interpreting Binary Flags Expressed in Hexadecimal

OOO

Internet Examples/Forensics (2: TCP)

Security Topic: SYN Floods

Messages decoded by Tshark

    • Example 1 (TCP): 0x0010 ACK

    Flags: 0x0010 (ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 0... = Push: Not set

    Window size: 6432

    Checksum: 0x58cd (correct)

    SEQ/ACK analysis

        This is an ACK to the segment in frame: 79

        The RTT to ACK the segment was: 0.000027000 seconds

        TCP Analysis Flags

            A segment before this frame was lost

    • Example 2 (TCP): 0x0002 SYN

Transmission Control Protocol, Src Port: 4286 (4286), Dst Port: sunrpc (111), Seq: 0, Ack: 0, Len: 0

    Source port: 4286 (4286)

    Destination port: sunrpc (111)

    Sequence number: 0    (relative sequence number)

    Header length: 40 bytes

    Flags: 0x0002 (SYN)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...0 .... = Acknowledgment: Not set

        .... 0... = Push: Not set

        .... .0.. = Reset: Not set

        .... ..1. = Syn: Set

        .... ...0 = Fin: Not set

    • Example 3 (TCP): 0x0012 SYN, ACK

Transmission Control Protocol, Src Port: sunrpc (111), Dst Port: 4286 (4286), Seq: 0, Ack: 1, Len: 0

    Source port: sunrpc (111)

    Destination port: 4286 (4286)

    Sequence number: 0    (relative sequence number)

    Acknowledgement number: 1    (relative ack number)

    Header length: 40 bytes

    Flags: 0x0012 (SYN, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 0... = Push: Not set

        .... .0.. = Reset: Not set

        .... ..1. = Syn: Set

        .... ...0 = Fin: Not set

    • Example 4 (TCP): 0x0011 FIN, ACK

Transmission Control Protocol, Src Port: sunrpc (111), Dst Port: 4286 (4286), Seq: 0, Ack: 1, Len: 0

    Source port: sunrpc (111)

    Destination port: 4286 (4286)

    Sequence number: 0    (relative sequence number)

    Acknowledgement number: 1    (relative ack number)

    Header length: 32 bytes

    Flags: 0x0011 (FIN, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 0... = Push: Not set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...1 = Fin: Set

    • Example 5 (TCP): 0x0018 ACK, PSH (Data transfer)

Transmission Control Protocol, Src Port: sunrpc (111), Dst Port: 4286 (4286), Seq: 0, Ack: 1, Len: 0

    Source port: sunrpc (111)

    Destination port: 4286 (4286)

    Sequence number: 0    (relative sequence number)

    Acknowledgement number: 1    (relative ack number)

    Header length: 32 bytes

    Flags: 0x0018 (ACK, PSH)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 1... = Push: Set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

 

 

 

TCP Flags Resources:

 

1.      http://www.firewall.cx/tcp-analysis-section-4.php Firewall,cx Nice explanation of flags from Urgent through FIN.

2.      http://www.securityfocus.com/infocus/1845 Don Parker, Mike Sues, “Packet forensics using TCP” (2005)

3.      http://support.microsoft.com/kb/169292 “Basics of Reading TCP/IP traces” Microsoft Help and Support (2007)

4.      SYN Floods (DoS attack): http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm

5.      Three-way handshake, in INFS6230, see: Tanenbaum 4th, pp. 496-502. Re 3-way handshake, see also: http://support.microsoft.com/kb/172983 Microsoft or http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-3.htm or http://www.3wayhandshake.com/

6.      Connection release and two-army problem, see: Tanenbaum/Wetherall 5e, pp. 518-519. Re 2-army problem, see also: http://simplanet.org/content/view/77/ .

 

 

Valerie J. H. Powell, RT(R), PhD, C&IS; Robert Morris University

© 2006 Robert Morris University.

Updated 2012-11-11