Learning Tcp flags

TCP标志详解:握手、确认与关闭
最新推荐文章于 2025-11-25 07:55:33 发布
转载 最新推荐文章于 2025-11-25 07:55:33 发布 · 120 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:https://www.howtouselinux.com/post/tcpdump-capture-packets-with-tcp-flags
文章标签:

#linux #docker #ubuntu #服务器

TCP标志包括SYN、ACK、FIN等,它们在建立和终止连接中起关键作用。SYN用于初始化三次握手,ACK确认接收到的数据,FIN表示发送方不再有数据。URG标记紧急数据,PSH提示立即处理数据,RST用于重置连接,ECE和CWR处理拥塞控制,NS是实验性的安全特性。

What are TCP flags?

Each TCP flag corresponds to 1 bit in size. The list below describes each flag in greater detail. Additionally, check out the corresponding RFC section attributed to certain flags for a more comprehensive explanation.

  • SYN - The synchronisation flag is used as a first step in
    establishing a three way handshake between two hosts. Only the first
    packet from both the sender and receiver should have this flag set.
    The following diagram illustrates a three way handshake process.
  • ACK - The acknowledgment flag is used to acknowledge the successful
    receipt of a packet. As we can see from the diagram above, the
    receiver sends an ACK as well as a SYN in the second step of the
    three way handshake process to tell the sender that it received its
    initial packet.
  • FIN - The finished flag means there is no more data from the sender.
    Therefore, it is used in the last packet sent from the sender.
  • URG - The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.
  • PSH - The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.
  • RST - The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.
  • ECE - This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.
  • CWR - The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.
  • NS (experimental) - The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details.

Reference:

Tcpdump: Filter Packets with Tcp Flags

Understanding TCP Flags

曹大卫779
关注
嵌入式Linux网络编程——TCP/UDP
hceng_linux
05-06 2086
优快云仅用于增加百度收录权重,排版未优化,日常不维护。请访问:www.hceng.cn 查看、评论。 本博文对应地址: https://hceng.cn/2017/12/30/嵌入式Linux网络编程——TCP_UDP/#more 本文主要记录TCP/UDP网络编程的基础知识,采用TCP/UDP实现宿主机和目标机之间的网络通信。 回想去年校招那会,笔试题老是出现TCP/UDP相关的内容。 那时...
Linux下socketAPI的使用,实现udp和tcp通信
Zebra的博客
02-04 2004
/ 创建 socket 文件描述符 (TCP/UDP, 客户端 + 服务器)一个文件描述符,执行socket()函数创建套接字的时候,相当于把网络以文件的形式打开了。创建失败就返回小于0的数// 绑定端口号 (TCP/UDP, 服务器)如果绑定成功返回0,绑定失败返回-1注意:bind(sock, (struct sockaddr*)&local, sizeof(local))传入第二个参数的时候需要进行强转。
tcpip实验指导书
05-26
这是一份TCPIP的实验指导书
协议栈(TCP被动连接三次握手)
Jiajun Zhu
05-30 2629
协议栈和标准TCP协议的TCP状态转换略有不同: 第三次握手时,在tcp_v4_syn_recv_sock() -> tcp_create_openreq_child() -> inet_csk_clone()中设置state为TCP_SYN_RECV,在tcp_child_process() -&amp
TCP flags组合
weixin_34138377的博客
10-09 385
2019独角兽企业重金招聘Python工程师标准>>> ...
TCP Flag究竟是怎么回事
linux_tcpdump的博客
04-07 1119
学习TCP FlagsTCP层,有个FLAGS字段,这个字段有以下几个标识:SYN, FIN, ACK, PSH, RST, URG. 其中,对于我们日常的分析有用的就是前面的五个字段。 它们的含义是: SYN表示建立连接, FIN表示关闭连接, ACK表示响应, PSH表示有 DATA数据传输, RST表示连接重置。 其中,ACK是可能与SYN,FIN等同时使用的,比如SYN和ACK可能同时为1,它表示的就是建立连接之后的响应, 如果只是单个的一个SYN,它表示的只是建立连接。 TCP的几次握手就是通
TCP重传与超时机制:解锁网络性能之秘
探索C++编程的奥秘,分享深入的技术见解和实践,旨在激发读者创造力与解决问题的思维。
04-29 3740
TCP重传与超时:解锁网络性能之秘
TCP/UDP Linux网络编程详解
qq_30592303的博客
11-23 662
TCP/UDP Linux网络编程详解 本文主要记录TCP/UDP网络编程的基础知识,采用TCP/UDP实现宿主机和目标机之间的网络通信。 内容目录 1. 目标 2.Linux网络编程基础 2.1 嵌套字 2.2 端口 2.3 网络地址 2.3.1 网络地址的格式 2.3.2 网络地址的转换 2.4 字节序 3.TCP 3.1 TCP流程图 3.2 TCP步骤分析 3....
Linux 软件通信协议 - 套接字 Socket TCP
iFinelio Tower 的博客
10-18 418
一起来应用 Socket TCP
TCP/IP Four Layer Protocol Format Learning
weixin_30302609的博客
11-04 178
相关学习资料 tcp-ip详解卷1:协议.pdf 目录 0. 引言 1. 应用层 3. 传输层 4. 网络层 0. 引言 协议中的网络字节序问题 在学习协议格式之前,有一点必须明白,否则我们在观察抓包数据的时候可能会产生疑惑: 1. 协议格式中的字段排布,最高位在左边,记为0bit;最低位在右边,记为31 bit。 2. 4个字节的32bit...
Bridge Counters 10.15.1 Bridge Ingress Counters 10.15.1.1 Bridge Drop Counter The Bridge engine can assign a HARD or SOFT DROP command to packets for many reasons. The Bridge engine maintains a 32-bit counter that can be configured to count all bridge packet drop events, or only count packet drop events due to a specifically configured reason. The specific reasons for a Bridge drop are:  Spanning Tree port state drop (Spanning Tree Filtering)  FDB entry command drop (FDB Entry Command)  MAC SA Moved Event (Moved MAC Command)  ARP CPU code (Router Security Checks for Bridged IPv4/6 and ARP Traffic)  MAC SA is DA (Source Address is destination address)  Source IP Equals Destination IP Event (Source IP (SIP) is Destination IP (DIP))  TCP/UDP Source Port Equals Destination Port (TCP/UDP Source Port is Destination Port)  Invalid SA drop (FDB Source MAC Learning) (FDB Source MAC Learning)  TCP Packet With Fin Flag And Without Ack (TCP Flags with FIN without ACK)  IEEE Reserved Drop (IEEE Reserved Multicast)  ICMP (MLD and Other IPv6 ICMP)  TCP Packet Without Full Header (TCP Without Full Header)  IPv4 RIPv1 (Routing Information Protocol (RIPv1))  IPv6 Neighbor Solicitation (IPv6 Neighbor Solicitation)  Unregistered IPv4 Broadcast drop (Per-eVLAN Unregistered IPv4 Broadcast Filtering)  Unregistered non-IPv4 Broadcast drop (Per-eVLAN Unregistered Non-IPv4 Broadcast Filtering)  Cisco command (Proprietary Layer 2 Control Multicast)  Unregistered Non-IP Multicast drop (Per-eVLAN Unregistered Non-IPv4/6 Multicast Filtering)  Unregistered IPv4 Multicast drop (Per-eVLAN Unregistered IPv4 Multicast Filtering) Unregistered IPv6 Multicast drop (Per-eVLAN Unregistered IPv6 Multicast Filtering)  Unknown Unicast drop (Per-eVLAN Unknown Unicast Filtering)  Secure Automatic Learning Unknown SA drop (Secure Automatic Learning)  eVLAN not valid drop (Invalid eVLAN Filtering)  Physical Port not member in VLAN drop (eVLAN Ingress Filtering)  eVLAN range drop (eVLAN Range Filtering)  Moved static address drop (FDB Static Entries)  MAC Spoof Protection Event (MAC Spoof Protection)  ARP MAC SA Mismatch (ARP MAC SA Mismatch)  Controlled Learning Unknown MAC SA drop (Source MAC Address CPU Controlled Learning)  SYN with data (TCP SYN Packet with Data)  TCP over Multicast (TCP over MAC Multicast/Broadcast)  Bridge Access Matrix (Bridge Access Matrix)  Fragmented ICMPv4 (Fragmented ICMPv4)  TCP Flags Zero (Zero TCP Flags)  TCP Flags FIN, URG and PSH (TCP Flags with FIN-URG-PSH)  TCP Flag SYN and FIN (TCP Flags with SYN-FIN)  TCP Flags SYN and RST (TCP Flags with SYN-RST)  TCP/UDP Port is Zero (Zero TCP/UDP Port)  Bridge Access Matrix Drop (Bridge Access Matrix)  Acceptable Frame Type (Acceptable Frame Type Filtering)  eVLAN MRU (eVLAN Maximum Receive Unit (MRU))  Rate Limiting drop (Ingress Port Storm Rate Limit Enforcement)  Local ePort drop (Bridge Local Switching)  IP Multicast In Iana Range Drop (IP and Non-IP Multicast Filtering)  IP Multicast Not In Iana Range Drop (IP and Non-IP Multicast Filtering)  DSA Tag Source Device is Local Device Drop (Loop Detection) Configuration  To configure the Bridge Drop Counter reason, use the <Bridge Drop Counter Mode> field in the Bridge Global Configuration1 Register (Table 320 p. 2219).  To read/write to the Bridge Drop Counter, read/write to the <BridgeDropCnt> field in the Bridge Filter Counter Register (Table 368 p. 2309) according 10.15.1.2 Bridge Host Counters A set of Host Group counters is maintained for a configured MAC Source Address and MAC Destination Address. These counters correspond to RMON-1 MIB (RFC 2819) Host counters. Configuration  To configure the MAC DA to be used by the host counters, use the MAC Address Count0 Register (Table 373 p. 2311) and the MAC Address Count1 Register (Table 374 p. 2311).  To configure the MAC SA to be used by the host counters, use the MAC Address Count1 Register (Table 374 p. 2311) and the MAC Address Count2 Register (Table 375 p. 2311).  The hostInPkts counter can be read from the Host Incoming Packets Count Register (Table 376 p. 2311). This counter is clear-on-read.  The hostOutPkts counter can be read from Host Outgoing Packets Count Register (Table 377 p. 2311). This counter is clear-on-read.  The hostOutBroadcastPkts counter can be read from Host Outgoing Packets Count Register (Table 377 p. 2311) This counter is clear-on-read.  The hostOutMulticastPkts counter can be read from Host Outgoing Packets Count Register (Table 377 p. 2311). This counter is clear-on-read. 10.15.1.3 Bridge Matrix Group A packet counter is maintained for a single, CPU-configured MAC source/Destination Address pair. These counters correspond to RMON-1 MIB (RFC 2819) Matrix counters. Configuration Read the matrixSDPkts counter from the <MatrixSDPkts> field in the Matrix Source/Destination Packet Count Register (Table 380 p. 2312) accordingly. This counter is clear-on-read. Table 34: Host Counters Counter Name Counter Description hostInPkts The number of good packets1 with a MAC DA matching the CPU-configured MAC DA. hostOutPkts The number of good packets with a MAC SA matching the CPU-configured MAC SA. hostOutBroadcast Pkts The number of good Broadcast packets with a MAC SA matching the configured MAC SA. hostOutMulticastPkts The number of good Multicast Packets with a MAC SA matching the configured MAC SA. 1. Good packets are error-free Ethernet packets that have a valid frame length, per RFC 2819. Table 35: Matrix Source Destination Counters Counter Name Counter Description matrixSDPkts The number of good packets with a MAC SA/DA matching the CPU￾configured MAC SA/DA 10.15.1.4 Bridge ePort/eVLAN/Device Counters There are two sets of Ingress ePort/eVLAN/device bridge counters—Set-0 and Set-1. Each counter-set is applied to a configured packet Ingress stream based on eVLAN and ePort. eVLAN and ePort can be set as a wildcard (traffic from all ePorts for the eVLAN), all traffic for the ePort, and all traffic in the switch. Each counter-set can be configured independently. Each counter-set maintains four counters as described in Table 36. Table 36: Ingress Port/VLAN/Device Counters per Counter-Set Counter Name Counter Description Bridge In Frames Counter Number of packets received by the bridge according to the specified mode criteria. Depending on the mode selected, this counter can be used to satisfy Bridge and SMON MIB objects (RFC 2674 and RFC 2613) such as: • dot1dTpPortInFrames (mode 1). • smonVlanIdStatsTotalPkts (mode 2). • dot1qTpVlanPortInFrames (mode 3). eVLAN Ingress Filtered Packet Counter Number of packets discarded due to invalid eVLAN, eVLAN not in Range, or Ingress physical port not eVLAN member. This counter can be used to satisfy Bridge MIB objectdot1qTpVlanPortInDiscard (mode 3) Security Filtered Packet Counter Number of packets discarded due to Security Filtering measures: • FDB command drop (Section 10.4.4). • Invalid SA drop (Section 10.4.8). • Moved Static address is a Security Breach drop (Section 10.4.9). • Unknown source MAC command drop, and unknown source MAC is Security breach (Section 10.4.8.4). Bridge Filtered Packet Counter Number of packets dropped by the Bridge for reasons other than eVLAN Ingress filtering and Security breach events. This counter counts packets dropped due any of the following reasons: • Rate Limiting drop (Section 10.10, Ingress Port Storm Rate Limit Enforcement) • Local port drop (Section 10.13, Bridge Local Switching) • Spanning Tree state drop (Section 10.3, Spanning Tree Filtering) • IP Multicast drop (Section 10.12, IP and Non-IP Multicast Filtering) • Non-IP Multicast drop (Section 10.12) • Unregistered Non-IPM Multicast drop (Section 10.11.1.2, Per-eVLAN Unregistered Non-IPv4/6 Multicast Filtering) • Unregistered IPv6 Multicast drop (Section 10.11.1.4, Per-eVLAN Unregistered IPv6 Multicast Filtering) • Unregistered IPv4 Multicast drop (Section 10.11.1.3, Per-eVLAN Unregistered IPv4 Multicast Filtering) • Unknown Unicast drop (Section 10.11.1.1, Per-eVLAN Unknown Unicast Filtering) • Unregistered IPv4 Broadcast drop (Section 10.11.1.5, Per-eVLAN Unregistered IPv4 Broadcast Filtering) • Unregistered non-IPv4 Broadcast drop (Section 10.11.1.6, Per-eVLAN Unregistered Non-IPv4 Broadcast Filtering) This counter can be used to satisfy Bridge MIB objects: • dot1dTpPortInDiscards • dot1qTpVlanPortInDiscards Configuration  To configure counter set 0/1 criteria, use the <Set<n>ePort>, and <Set<n>CntMode> fields in the Counters Set<n> Configuration 0 Register (n=0–1) (Table 381 p. 2312) and the <Set<n>eVLAN> field in the Counters Set<n> Configuration 1 Register (n=0–1) (Table 382 p. 2312).  The following counters can be read from their respective registers. These counters are clear on read: • Set<n> VLAN Ingress Filtered Packet Count Register (n=0–1) (Table 384 p. 2313) • Set<n> Security Filtered Packet Count Register (n=0–1) (Table 385 p. 2313) • Set<n> Bridge Filtered Packet Count Register (n=0–1) (Table 386 p. 2313) • Set<n> Incoming Packet Count Register (n=0–1) (Table 383 p. 2313)翻译一下
11-18
C --> C1[TCP/UDP异常标志] & C2[ICMP分片] & C3[保留组播] D --> D1[生成树阻塞] & D2[本地端口丢弃] & D3[无效VLAN] E --> E1[未注册组播] & E2[未知单播] & E3[速率限制] ``` **配置方法**: - **选择统计...
一次网页请求背后的连接
王浴昊
12-07 6143
一次网页请求背后的连接 想成为一个优秀的前端,对互联网协议是必须要了解的。本文使用WireShark抓包工具,对一次网页请求背后的TCP连接、HTTP请求进行了详细的展示。对网页请求中浏览器使用的并行连接、持久连接以及TCP连接建立关闭的过程均有所分析讨论,对HTTP如何封装在TCP中进行数据请求以及数据的响应返回也有所展示。供学习交流之用。 TCP简介本文从传输层的报文开始,下层网络IP层、链
P4-learning——ecmp
csdn_ggboy的博客
02-19 1056
ecmp 充分利用链路,实现负载均衡 拓扑 { "program": "p4src/ecmp.p4", "switch": "simple_switch", "compiler": "p4c", "options": "--target bmv2 --arch v1model --std p4-16", "switch_cli": "simple_switch_CLI", "cli": true, "pcap_dump": true, "enable_log": true,
Linux性能调优使用strace来分析文件系统的性能问题
最新发布
运维老生常谈
11-25 470
前面几章我们介绍了文件系统和磁盘的相关信息,其中大篇幅讲了I/O请求落到磁盘的整个过程,以及可能存在性能瓶颈的地方和排查工具方法。还未看过的,可以到文章末尾参阅之前的文章。今天主要来介绍工具strace,并由它来组合lsof、vmstat、iostat、pidstat等工具共同分析文件系统存在的性能问题。为什么要用这个工具?一是它安装使用比较方便、容易上手,可以通过命令来安装,安装后直接通过strace命令使用,无需额外配置。
Linux rsync命令
菜鸟记录
11-24 1005
Linux rsync命令
Linux】从条件变量到信号量|环形队列版生产者 - 消费者模型实战(附完整源码)
欢迎来到我的博客,私信我可以一起交流技术
11-23 872
前言:欢迎各位光临本博客,这里小编带你直接手撕**,文章并不复杂,愿诸君**耐其心性,忘却杂尘,道有所长!!!!在多线程编程中,同步与互斥是核心问题。本文将从条件变量、阻塞队列入手,逐步深入到POSIX信号量,并最终实现一个基于环形队列的生产者-消费者模型,展示不同同步机制的应用场景与实现细节。条件变量是线程间同步的基础工具,用于线程间的“等待-通知”机制。你可以把它想象成一个“消息板”,线程A在上面等待一个消息(条件满足),线程B在条件满足时在消息板上发布通知,唤醒线程A。这是条件变量最基础的实现,包含了
使用 nethogs 和 nload 进行 Linux 网络监控
Zsr1023的博客
11-22 133
特性nethogsnload监控对象进程网络接口核心问题谁在占用带宽流量总体多大,趋势如何优势精确定位到问题进程直观显示总体流量和速率变化关系微观,深入进程内部宏观,把握整体状况。
Linux---进程概念(一)——冯诺依曼体系、操作系统、进程、PCB的概念讲解
2401_88465894的博客
11-22 839
本文系统阐述了计算机系统的核心概念。首先介绍了冯诺依曼体系结构,包括五大组件(输入设备、存储器、运算器、控制器、输出设备)及其协作关系,重点解释了内存作为CPU与磁盘间缓冲的重要性。其次深入剖析了操作系统的本质,即通过"先描述再组织"的方式管理软硬件资源,将管理对象抽象为数据结构进行操作。然后详细讲解了进程概念,指出进程由内存中的程序代码/数据和PCB(进程控制块)共同构成,并阐述了进程调度中上下文切换的机制。最后说明了进程标识符的获取方式,强调用户程序必须通过系统调用访问内核数据结构。
Linux】make 与 makefile 实现自动化构建
L_0907的博客
11-24 635
本篇文章主要介绍 Linux 中 make 工具与 makefile 来实现自动化构建
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值