analysis of TCP flags

analysis of TCP flags

oc32tflags.pl is being used for an analysis of some aspects of TCP flags.

sample results:

(older stuff:) WAN mice

wide area mice -- a tragedy in 3 acts

(two different traces, updated 15 feb 97)

(inspired by dkerr and tli and
other fine upstandingly inquisitive router building citizens
wondering ``Just what is this shit?''
This page not for young children or anyone who thinks CDA stands for something)

Data: two 20min-ish FIXWest traces, 9/96 and 1/97. (need ICM trace, think it's even more tragic over there)

Goal of study: Give router vendors info on wtf they're building stuff to switch. Characterize the 40-byte packets, the packets with flags set, and the retransmitted packets. From a very macroscopic perspective. Gory details in tables at bottom, we'll go thru the highlights. tables below.
Ulterior goal: Get router vendors to sponsor Caida research.


For 40 byte packets:

How many are TCP? What are the others?
over 99% of the 40-byte packets are TCP. ICMP, IGMP, UDP send a few. see table 2.

How many are SYN? SYN|ACK?
Very few 40-byte SYNs actually, less than .5%. Most SYNs at this collection point are 44 bytes (hellloo MSS option.)

can anyone verify this at other points for us?

@@Darren what's this you're saying about your SYNs doing ttcp? what's up with that?? what's a SYN doing ttcp for? or you meant a ttcp run doing SYNs, and you're just randomly running a lot of ttcp?

How many are RST?
Of the 40-byters (26 and 18% of the total packets in the two traces,
i think it's more at ICM that's why i want to run this script on ICM traces),
about 5% of them are pure RST, but another scattered few have RST plus other flags, most likely RST ACK. But also some RST ACK PSH, RST PSH, FIN RST ACK (hi there, PC TCP.), and RST URG. Anyway, all those enhanced RSTs together are less than 1% of 40-byters. (the 40s)

How many are FIN? FIN+ACK?
In 27 million packets, one lonely ackless FIN (from a web server but didn't go find which one)
FIN ACKs are about 5-6% of your 40s.
A few FIN PSH ACKs, and 1 FIN ACK URG, our FIN RST ACK from above,
and a FIN PSH ACK URG [k to PC TCP: oh, now you're just showing off.]

how many 40 bytes are ACKs?
In both these traces, about 95% of the 40s have the ACK bit set.

How many are retransmitted ACKs?
You're not going to like this... I'm just going to have to walk through the whole re-mice table line by line: 
total packets:  		1.5M			1.16M
rexmitted TCP packets 		3463748 		1786628 
retransmitted TCP mice (40) 	2588665 		1211293 

of the re-mice: 
 flags	packets	40s prc	flag names	 flags	packets	40s prc	 prcAgain[estimated]
 ====== ======= ======= ===========	 ====== ======= =======  ========
 1	1	0.000	FIN					 100

lovely, the single nakedFIN in all the two traces meets my defn of retransmitted. impressive. maybe the first FIN was a FIN ACK or something. would take too long for me to go back and figure out now. hold peace. 
 2	4542	0.114	SYN	 2	1633	0.080	 	25
 4	75717	1.900	RST	 4	15039	0.740		10-20
 c	1091	0.027	RST PSH	 c	148	0.007	 	50

man over half of those puppies had to be retransmitted, i guess being PSHy isn't paying off here 
 10	2313424	58.065	ACK	 10	1117806	55.032	 	65

notice that eighty six percent of the forty-byte packets are ACKs, and 55-58% of the forty-byte packets are retransmitted ACKs. Zoinks. 
 11	108916	2.734	FIN ACK	 11	55636	2.739	 	50
 12	4682	0.118	SYN ACK	 12	2005	0.099		17

only about one-sixth of them get to go again. guess no windowed-data'ed yet. [still on honeymoon] 
 14	14310	0.359	RST ACK	 14	8765	0.432		60-65
 15	19	0.000	FIN RST ACK 15	19	0.001	 	100

Only 19 of these in the whole trace, all retransmitted. That host really wanted out of that relationship. 
 18	32964	0.827	PSH ACK	 18	7998	0.394	 	70-80
 19	31400	0.788	FIN PSH ACK 19	1643	0.081	 	80-97
 1c	1577	0.040	RST PSH ACK 1c	596	0.029		40
 24	16	0.000	RST URG					95

only 17 of these packets; 16 of them apparently rexmits of the first one. talk about a persistent connection [k waves to PC TCP] 
 30	6	0.000	ACK URG					67
[only 9 to begin with; k waves to PC TCP] 
 39	5	0.000	FIN PSH ACK URG				83

[only 6 to begin with, k waves to PC TCP] 



  
[widen your screen]
start = 12:17:43 96/9/26			start =  9:51:27 97/1/9
packets=15315131	bytes=4276603522	packets=11580323	bytes=3291170537
	
per protocol breakout:	

 prot   packets         bytes              name    prot   packets         bytes         
 ====== =============== ================   ======= ====== =============== ============
 0      1       0.000   0          0.000   ip
 1      153871  1.005   10739758   0.251   icmp    1      254848  2.201   16526621    0.502   
 2      32563   0.213   10415272   0.244   igmp    2      67838   0.586   15088149    0.458  
 4      2785868 18.190  772646272  18.067  ipencap 4      2464994 21.286  788748774  23.966
 6      9477461 61.883  3076076300 71.928  tcp     6      5475314 47.281  1952642543 59.330
 8      131     0.001   4454       0.000   egp     8      27      0.000   918         0.000   
 17     2857378 18.657  405321971  9.478   udp     17     3301354 28.508  514555563  15.634  
 29     13      0.000   624        0.000   iso-tp4
 41     4       0.000   496        0.000           41     50      0.000   8276        0.000 
 47     1       0.000   53         0.000           47     13906   0.120   3335532     0.101 
 55     3363    0.022   298852     0.007           55     517     0.004   65400       0.002 
 74     3       0.000   195        0.000           74     10      0.000   636         0.000 
 83     1091    0.007   82272      0.002           83     809     0.007   87944       0.003 
 89     2556    0.017   813800     0.019   ospf    89     427     0.004   46184       0.001 
 93     410     0.003   74525      0.002           93     85      0.001   8408        0.000 
 94     1       0.000   65         0.000   ipip    94     1       0.000   65          0.000 
 96     300     0.002   126000     0.003           96     130     0.001   54900       0.002 
 98     75      0.000   1725       0.000   encap
 254    54      0.000   1512       0.000            


only 40 byte packets per protocol breakout:
 prot   packets %40     %all	name  	 prot packets %40     %all       
 ====== ==================== 	=======  ==== ====== ===================

 1      1935    0.048   0.013   icmp   	   1   3418    0.167   0.030  
 2      3012    0.075   0.020   igmp   	   2   7801    0.382   0.067 
			        ipencap    4   5       0.000   0.000
 6      3984185 99.822  26.015  tcp   	   6   2031203 99.415  17.54
 17     2168    0.054   0.014   udp   	  17   730     0.036   0.006


any-size breakout:	
	
 flags	packets	TCP prc	flag names	 flags	packets	TCP prc	flag names
 ====== ======= ======= ==============	 ====== ======= ======= ==============
 0	24	0.000			 0	3	0.000		
 1	8	0.000	 FIN		 1	9	0.000	 FIN	
 2	288377	3.043	 SYN		 2	227624	4.157	 SYN	
 3	8	0.000	 FIN SYN	 4	90826	1.659	 RST	
 4	196653	2.075	 RST		 5	10	0.000	 FIN RST	
 5	6	0.000	 FIN RST	 6	87	0.002	 SYN RST	
 6	259	0.003	 SYN RST	 7	1	0.000	 FIN SYN RST	
 7	4	0.000	 FIN SYN RST	 9	5	0.000	 FIN PSH	
 8	25	0.000	 PSH		 a	463	0.008	 SYN PSH	
 9	6	0.000	 FIN PSH	 b	4	0.000	 FIN SYN PSH	
 a	2509	0.026	 SYN PSH	 c	285	0.005	 RST PSH	
 b	19	0.000	 FIN SYN PSH	 d	3	0.000	 FIN RST PSH	
 c	1510	0.016	 RST PSH	
 d	3	0.000	 FIN RST PSH	
 e	1	0.000	 SYN RST PSH	
 f	1	0.000	 FIN SYN RST PSH		
 10	6592629	69.561	 ACK		 10	3781761	69.069	 ACK	
 11	236441	2.495	 FIN ACK	 11	141823	2.590	 FIN ACK	
 12	223981	2.363	 SYN ACK	 12	166555	3.042	 SYN ACK	
 13	41	0.000	 FIN SYN ACK	 13	4	0.000	 FIN SYN ACK	
 14	22814	0.241	 RST ACK	 14	14875	0.272	 RST ACK	
 15	27	0.000	 FIN RST ACK	 15	23	0.000	 FIN RST ACK	
 16	7	0.000	 SYN RST ACK	 16	2	0.000	 SYN RST ACK	
 17	4	0.000	 FIN SYN RST ACK 17	3	0.000	 FIN SYN RST ACK	
 18	1781037	18.792	 PSH ACK	 18	988026	18.045	 PSH ACK	
 19	125679	1.326	 FIN PSH ACK	 19	60900	1.112	 FIN PSH ACK	
 1a	84	0.001	 SYN PSH ACK	 1a	35	0.001	 SYN PSH ACK	
 1b	7	0.000	 FIN SYN PSH ACK 1b	10	0.000	 FIN SYN PSH ACK	
 1c	4645	0.049	 RST PSH ACK	 1c	1639	0.030	 RST PSH ACK	
 1d	4	0.000	 FIN RST PSH ACK 1d	35	0.001	 FIN RST PSH ACK	
 1e	2	0.000	 SYN RST PSH ACK 1e	1	0.000	 SYN RST PSH ACK	
 1f	3	0.000	 FIN SYN RST PSH ACK		
 20	59	0.001	 URG		 20	16	0.000	 URG	
 21	22	0.000	 FIN URG	 21	7	0.000	 FIN URG	
 22	3	0.000	 SYN URG	 22	4	0.000	 SYN URG	
 23	5	0.000	 FIN SYN URG	 23	8	0.000	 FIN SYN URG	
 24	26	0.000	 RST URG	 24	5	0.000	 RST URG	
 25	9	0.000	 FIN RST URG	 25	8	0.000	 FIN RST URG	
 26	1	0.000	 SYN RST URG	 26	1	0.000	 SYN RST URG	
 27	10	0.000	 FIN SYN RST URG 27	6	0.000	 FIN SYN RST URG	
 28	3	0.000	 PSH URG	 28	2	0.000	 PSH URG	
 29	3	0.000	 FIN PSH URG	 29	11	0.000	 FIN PSH URG	
 2a	5	0.000	 SYN PSH URG	 2a	2	0.000	 SYN PSH URG	
 2b	4	0.000	 FIN SYN PSH URG 2b	1	0.000	 FIN SYN PSH URG	
 2c	20	0.000	 RST PSH URG	 2c	11	0.000	 RST PSH URG	
 2d	42	0.000	 FIN RST PSH URG 2d	3	0.000	 FIN RST PSH URG	
 2e	10	0.000	 SYN RST PSH URG 2e	9	0.000	 SYN RST PSH URG	
 2f	43	0.000	 F/S/R/P/URG	 2f	7	0.000	 FIN SYN RST PSH URG	
 30	69	0.001	 ACK URG	 30	24	0.000	 ACK URG	
 31	3	0.000	 FIN ACK URG	 31	4	0.000	 FIN ACK URG	
 32	4	0.000	 SYN ACK URG	 32	5	0.000	 SYN ACK URG	
 33	8	0.000	 FIN SYN ACK URG 33	4	0.000	 FIN SYN ACK URG	
 34	8	0.000	 RST ACK URG	 34	12	0.000	 RST ACK URG	
 35	4	0.000	 FIN RST ACK URG 35	5	0.000	 FIN RST ACK URG	
 36	4	0.000	 SYN RST ACK URG
 37	3	0.000	 FSRAU 		 37	9	0.000	 FIN SYN RST ACK URG	
 38	196	0.002	 PSH ACK URG	 38	98	0.002	 PSH ACK URG	
 39	57	0.001	 FIN PSH ACK URG 39	12	0.000	 FIN PSH ACK URG	
 3a	1	0.000	 SYN PSH ACK URG
 3b	2	0.000	 FSPAU 		 3b	2	0.000	 FIN SYN PSH ACK URG	
 3c	3	0.000	 RST PSH ACK URG 3c	12	0.000	 RST PSH ACK URG	
 3d	1	0.000	 FRPAU 		 3d	4	0.000	 FIN RST PSH ACK URG	
 3e	9	0.000	 SRPAU 		 3e	10	0.000	 SYN RST PSH ACK URG	
 3f	6	0.000	 FSRPAU 
	
mice flags breakout 				mice flags breakout 
for the 3984185 TCP packets of 40 byte length	for the 2031203 TCP packets of 40 byte length
(26.015 percent of the complete packet trace)	(17.540 percent of the complete packet trace)
	
 flags	packets	40s prc	flag names	 	flags	packets	40s prc	flag names
 ====== ======= ======= ==============	 	====== ======= ======= ==============
 1	1	0.000	 FIN		
 2	19126	0.480	 SYN		 	2	9030	0.445	 SYN	
 4	195183	4.899	 RST		 	4	90241	4.443	 RST	
 a	1	0.000	 SYN PSH	
 c	1509	0.038	 RST PSH		c	281	0.014	 RST PSH	
 10	3429806	86.086	 ACK			10	1762263	86.760	 ACK	
 11	208015	5.221	 FIN ACK		11	127523	6.278	 FIN ACK	
 12	24503	0.615	 SYN ACK		12	12884	0.634	 SYN ACK	
 14	22065	0.554	 RST ACK		14	14558	0.717	 RST ACK	
 15	19	0.000	 FIN RST ACK		15	21	0.001	 FIN RST ACK	
 18	47245	1.186	 PSH ACK		18	10504	0.517	 PSH ACK	
 19	32346	0.812	 FIN PSH ACK		19	2360	0.116	 FIN PSH ACK	
 1c	4340	0.109	 RST PSH ACK		1c	1528	0.075	 RST PSH ACK	
 24	17	0.000	 RST URG		
 30	9	0.000	 ACK URG		30	1	0.000	 ACK URG	
 31	1	0.000	 FIN ACK URG		31	1	0.000	 FIN ACK URG	
 38	1	0.000	 PSH ACK URG	
 39	6	0.000	 FIN PSH ACK URG	
 ====== ======= ======= ==============          ====== ======= ======= ==============
	3984185 	Total 40-byters:		2031203 
	
3463748 rexmitted TCP packets of 1.5M total	1786628 retransmitted TCP packets of 1.16M total
2588665 retransmitted TCP mice (40)		1211293 retransmitted TCP mice (40)
	
re-mice breakout:	re-mice breakout:
 flags	packets	40s prc	flag names	 flags	packets	40s prc	flag names
 ====== ======= ======= ==============	 ====== ======= ======= ==============
 1	1	0.000	FIN		
 2	4542	0.114	SYN		 2	1633	0.080	 SYN	
 4	75717	1.900	RST		 4	15039	0.740	 RST	
 c	1091	0.027	RST PSH	 	 c	148	0.007	 RST PSH	
 10	2313424	58.065	ACK		 10	1117806	55.032	 ACK	
 11	108916	2.734	FIN ACK	 	 11	55636	2.739	 FIN ACK	
 12	4682	0.118	SYN ACK	 	 12	2005	0.099	 SYN ACK	
 14	14310	0.359	RST ACK	 	 14	8765	0.432	 RST ACK	
 15	19	0.000	FIN RST ACK	 15	19	0.001	 FIN RST ACK	
 18	32964	0.827	PSH ACK	 	 18	7998	0.394	 PSH ACK	
 19	31400	0.788	FIN PSH ACK	 19	1643	0.081	 FIN PSH ACK	
 1c	1577	0.040	RST PSH ACK	 1c	596	0.029	 RST PSH ACK	
 24	16	0.000	RST URG		
 30	6	0.000	ACK URG		
 39	5	0.000	FIN PSH ACK URG	





per dennis request about mbone packets

  last updated 17 feb 97 

questions or comments: kc@nlanr.net.