TCP Flags and What They Mean

So you’re reviewing a packet capture and you come across the TCP headers with the URG or PSH flags set. Have you ever wondered what they mean? Or what they do? Or what they’re supposed to do? Let’s dive in and check them out.

Pushing the Data Forward

Consider this scenario: you’re using one of your favorite browsers to download some html from a website. The actual request is pretty small and will likely not fill the entire segment, let alone two segments in order to be queued for dispatch. Instead, the request is packaged and marked with a PSH flag thereby informing the client’s operating system to move this request along to the server and not wait for the buffers to fill.

We also learn from section 20.5 in TCP/IP Illustrated that the PSH flag is not something that is usually set by an API, but rather determined by the TCP implementation of the particular distribution. Accordingly, Berkley-derived operating systems use the PSH flag to signal that the send buffers are empty on the client side. This is evident in the response to the request above and captured below.

It’s a small reply, which, too, does not fill a segment. Accordingly, it’s marked with a PSH before the transaction is concluded with the FIN.

My Request Is URGent!

The intended purpose of the URG flag is to let the stream and receiving application know that there is some data that needs to be prioritized. For example, you have a file transfer that needs to be aborted due to the fact that you inadvertently sent the wrong one.

The idea was that the URG flag would be set, with a pointer to the last byte of urgent data (set in the urgent pointer field of the TCP header) and prioritizes that data; the rest of the data in the segment is treated as normal priority data. Typically, the PSH flag is also set because the data being sent, is urgent, and shouldn’t wait around for the segment to be full before entering a queue for dispatch.

Per Stevens, (Section 20.8) who writes about TCP flags, there are differing implementations of the URG flag and a bifurcation as to urgent data and out-of-band management. To that end, finding a compliant packet trace has been elusive.

Learn more about TCP flags in our ebook.