How To Remember Your TCP Flags

By Daniel Miessler on August 29th, 2005: Tagged as Computers | Protocols | Security

Many people are familiar with the concept of a mnemonic [nəˈmɑnɪk] — a memory device that uses a phrase based on the first letter of words in a list. Perhaps the most popular of these in the field of networking is the one for the OSI Model. The mnemonic is:

All People Seem To Need Data Processing.

Well, for those that deal with TCP a lot, I thought it might be helpful to have a mnemonic for the TCP flags as well. What I’ve come up with is:

Unskilled Attackers Pester Real Security Folks

Unskilled = URG Attackers = ACK Pester = PSH Real = RST Security = SYN Folks = FIN

The way this helps me the most is when isolating traffic to capture using Tcpdump. It’s possible, for example, to capture only SYNs (new connection requests), only RSTs (immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump tutorial, you can capture these various flags like so:

Find all SYN packets tcpdump 'tcp[13] & 2 != 0'

Find all RST packets tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets tcpdump 'tcp[13] & 16 != 0'

Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:

U A P R S F

…that corresponds to:

32 16 8 4 2 1

So as you read the SYN capture tcpdump 'tcp[13] & 2 != 0', you’re saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, and that’s how why you’re capturing only SYN packets when you apply that filter.

Remembering these flags and how to isolate them can go a long way in helping low-level network troubleshooting/security work by isolating what it is you want to see and/or capture. And of course the more you can isolate what you want to see, the faster you can solve the problem. I encourage anyone not making use of this powerful feature already to go ahead and add it to their repertoire.

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

View Comments

  • Thanks Daniel this is a real KISS HOWTO :)

  • Another mnemonic for the OSI model, going the other way, is easier for me to remember:

    Please Do Not Touch Sally's Pretty Ass. =)
blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives