Blog Post

TCP Flags and What They Mean

Have you ever come across a packet capture with TCP headers with the URG or PSH flags set? Explore TCP flags and the difference between URG and PSH.

So you’re reviewing a packet capture and you come across the TCP headers with the URG or PSH flags set. Have you ever wondered what they mean? Or what they do? Or what they’re supposed to do? Let’s dive in and check them out.

Pushing the Data Forward

Consider this scenario: you’re using one of your favorite browsers to download some html from a website. The actual request is pretty small and will likely not fill the entire segment, let alone two segments in order to be queued for dispatch. Instead, the request is packaged and marked with a PSH flag thereby informing the client’s operating system to move this request along to the server and not wait for the buffers to fill.

TCP flags example

We also learn from section 20.5 in TCP/IP Illustrated that the PSH flag is not something that is usually set by an API, but rather determined by the TCP implementation of the particular distribution. Accordingly, Berkley-derived operating systems use the PSH flag to signal that the send buffers are empty on the client side. This is evident in the response to the request above and captured below.

TCP flags

It’s a small reply, which, too, does not fill a segment. Accordingly, it’s marked with a PSH before the transaction is concluded with the FIN.

My Request Is URGent!

The intended purpose of the URG flag is to let the stream and receiving application know that there is some data that needs to be prioritized. For example, you have a file transfer that needs to be aborted due to the fact that you inadvertently sent the wrong one.

The idea was that the URG flag would be set, with a pointer to the last byte of urgent data (set in the urgent pointer field of the TCP header) and prioritizes that data; the rest of the data in the segment is treated as normal priority data. Typically, the PSH flag is also set because the data being sent, is urgent, and shouldn’t wait around for the segment to be full before entering a queue for dispatch.

Per Stevens, (Section 20.8) who writes about TCP flags, there are differing implementations of the URG flag and a bifurcation as to urgent data and out-of-band management. To that end, finding a compliant packet trace has been elusive.

Learn more about TCP flags in our ebook.

Synthetic Monitoring
API Monitoring
This is some text inside of a div block.

You might also like

Blog post

Mastering IPM: Key Takeaways from our Best Practices Series

Blog post

Mastering IPM: API Monitoring for Digital Resilience

Blog post

Adobe Experience Cloud Outage: The Impact of Relying on Third-party Services