This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Define NEW and ESTABLISHED TCP packet based on TCP control bits

0

How to define NEW and ESTABLISHED TCP packet based on TCP flags? I would think that NEW TCP packet has SYN flag set, ACK flag not set, RST flag not set, FIN flag not set and value of the rest of the flags is not important:

NS CWR ECE URG ACK PSH RST SYN FIN
x  x   x   x   0   x   0   1   0

And ESTABLISHED TCP packets are all the packets with ACK flag set:

NS CWR ECE URG ACK PSH RST SYN FIN
x  x   x   x   1   x   x   x   x

Is this correct?

asked 10 May '17, 04:09

mrtn's gravatar image

mrtn
11669
accept rate: 0%

One Answer:

0

It can be a bit of a "what's your kind of definition for new/established" thing, but basically you're correct - as soon as the SYN flags are done for, the connection is established and all packets carry ACK flag (but should not have SYN set, or RST, because SYN is "new" again, and RST is abort/shutdown).

answered 10 May '17, 04:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%