This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcpdump output: FPU and R flags

0

10:53:04.042608 IP 172.17.2.12.42654 > 172.17.2.6.6000: Flags [FPU], seq 3891587770, win 1024, urg 0, length 0

10:53:04.045939 IP 172.17.2.6.6000 > 172.17.2.12.42654: Flags [R.], seq 0, ack 3891587770, win 0, length 0

Between these two packets I am looking for the set flags and what they mean... What I am assuming is the flags are FPU and R as the packets state, but I am not familiar with these flags and cannot seem to find an answer to what they are anywhere else. Would anyone know what flags they are?

asked 22 Mar '14, 13:09

Cashmen's gravatar image

Cashmen
1111
accept rate: 0%

edited 22 Mar '14, 14:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

0

What you are showing is the output of tcpdump and the flags are documented in the man page of tcpdump.

In short (from the man page):

S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or . (ACK)

For a better understanding of the flags, please visit online resources like the following, and many others.

http://www.tcpipguide.com/free/t_TCPIPTransmissionControlProtocolTCP.htm
http://packetlife.net/blog/2011/mar/2/tcp-flags-psh-and-urg/
http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html

So, what you are seeing is:

  • 172.17.2.12 sends a TCP frame to 172.17.2.6:6000 with the flags FIN,PUSH,URG
  • the answer from 172.17.2.6 is a RST,ACK (RESET + ACK)

So, one side is closing the connection with a FIN (plus other flags) and the other side 'answers' with a RESET. Why it happens in that way can only be answered by looking at the applications and operating systems in use.

Regards
Kurt

answered 22 Mar '14, 14:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Mar '14, 14:17