Wireshark: Flag abbreviations and Exchange type

Question

I was told to ask this here:

10:53:04.042608 IP 172.17.2.12.42654 > 172.17.2.6.6000: Flags [FPU], seq 3891587770, win 1024, urg 0, length 0

10:53:04.045939 IP 172.17.2.6.6000 > 172.17.2.12.42654: Flags [R.], seq 0, ack 3891587770, win 0, length 0

This states that the flags set are FPU and R. What flags do these stand for and what kind of exchange is this?

Answer 1

The flags are:

• F - FIN, used to terminate an active TCP connection from one end.
• P - PUSH, asks that any data the receiving end is buffering be sent to the receiving process.
• U - URGENT, indicating that there is data referenced by the urgent "pointer."
• R - RESET, indicating that a packet was received that was NOT part of an existing connection.

It looks like the first packet was manufactured, or possibly delayed. The argument for it being manufactured is the urgent flag being set, with no urgent data. If it was delayed, it indicates the normal end of a connection between .12 and .6 on port 6000, along with a request that the last of any pending data sent across the wire be flushed to the service on .6.

.6 has clearly forgotten about this connection, if it even existed. .6 is indicating that while it got the FIN packet, it believes that the connection that FIN packet refers to did not exist.

If .6 had a current matching connection, it would have replied with a FIN-ACK instead of RST, acknowledging the termination of the connection.