TCP Header Format and Structure

If sequence and acknowledgment numbers track data, then flags control behavior. These six bits—SYN, ACK, FIN, RST, PSH, and URG—occupy a single byte of the TCP header but govern the entire lifecycle of every TCP connection.

Each flag is a boolean signal, either set (1) or clear (0), and their combinations create a rich vocabulary for connection management. A segment with SYN set initiates a connection; one with FIN set gracefully terminates it; one with RST set abruptly aborts it. Understanding these flags is essential for:

• Debugging network issues and connection failures
• Analyzing packet captures (Wireshark, tcpdump)
• Implementing firewalls and security filters
• Understanding TCP state machines and transitions
• Detecting and preventing network attacks

The TCP flags reside in the 13th byte of the TCP header (bits 100–107 in 0-indexed terms, or commonly referred to as the 13th and 14th bytes when including the reserved bits). The flags occupy 6 bits within a larger control field that also contains the 4-bit data offset and reserved bits.

The Classic Six Flags:

The original TCP specification (RFC 793) defined six control flags. From most significant to least significant bit position:

| URG | ACK | PSH | RST | SYN | FIN |
|  6  |  5  |  4  |  3  |  2  |  1  |  (bit weights)
|  32 |  16 |  8  |  4  |  2  |  1  |  (decimal values)

Common Flag Combinations:

The SYN (Synchronize) flag initiates a TCP connection by synchronizing sequence numbers between endpoints. It is the fundamental mechanism for connection establishment and appears only at the very beginning of a connection.

Primary Functions:

1. Signal connection request: A SYN-only segment says "I want to establish a connection"
2. Communicate Initial Sequence Number (ISN): The sequence number field contains the sender's ISN
3. Negotiate options: Window scale, SACK, timestamps, and MSS are exchanged with SYN
4. Consume sequence space: SYN occupies one sequence number for reliable acknowledgment

SYN Segment Types:

The Three-Way Handshake:

1. Client → Server: SYN, Seq=X
   "I want to connect. My starting sequence is X."

2. Server → Client: SYN+ACK, Seq=Y, Ack=X+1
   "Connection accepted. My starting sequence is Y. I expect X+1 next."

3. Client → Server: ACK, Seq=X+1, Ack=Y+1
   "Confirmed. I expect Y+1 next."

After this exchange, both sides have synchronized sequence numbers and can begin data transfer.

The ACK (Acknowledgment) flag is the most frequently set flag in TCP segments. It indicates that the acknowledgment number field in the header is valid and should be processed.

Behavior by ACK State:

After the initial SYN segment, every TCP segment has the ACK flag set. Even pure data segments acknowledge previously received data. This makes ACK the default state of TCP communication.

ACK-Only Segments:

Segments with only the ACK flag set (no data, no SYN, no FIN) serve specific purposes:

1. Acknowledge received data without sending any new data
2. Keep-alive probes to verify connection is still active
3. Window updates to advertise newly available receive buffer space
4. Delayed acknowledgment when no data to send

ACK Characteristics:

• Consumes 0 sequence numbers: Pure ACKs don't advance sequence space
• Not retransmitted: Lost ACKs are covered by cumulative acknowledgment
• Can piggyback: Almost always combined with data segments when available

ACK in State Transitions:

The ACK flag is critical for TCP state machine transitions:

SYN_SENT state:
  - Receive SYN+ACK → Send ACK → Move to ESTABLISHED
  
SYN_RECEIVED state:
  - Receive ACK for our SYN → Move to ESTABLISHED
  
FIN_WAIT_1 state:
  - Receive ACK for our FIN → Move to FIN_WAIT_2

The FIN (Finish) flag signals the sender's intention to terminate the connection gracefully. Unlike RST, which abruptly aborts, FIN allows both sides to finish transmitting any remaining data before closing.

FIN Semantics:

• "I have no more data to send"
• "Please acknowledge this FIN"
• "You may still send data to me" (until you also send FIN)

The Half-Close:

TCP connections are full-duplex, meaning data can flow in both directions independently. A FIN closes only one direction:

A sends FIN to B:
  - A → B direction: Closed (A will send no more data)
  - B → A direction: Open (B can still send data)
  - This is called a "half-close"

The connection is fully closed only when both sides have sent and acknowledged FINs.

The Four-Way Close:

Graceful termination typically requires four segments:

1. A → B: FIN+ACK, Seq=X
   "I'm done sending. Final data was up to X."

2. B → A: ACK, Ack=X+1
   "I acknowledge your FIN."

3. B → A: FIN+ACK, Seq=Y
   "I'm also done sending. Final data was up to Y."

4. A → B: ACK, Ack=Y+1
   "I acknowledge your FIN. Connection closed."

Piggybacked FIN-ACK:

Steps 2 and 3 can be combined if B has no more data:

1. A → B: FIN+ACK
2. B → A: FIN+ACK (acknowledges A's FIN and sends B's FIN)
3. A → B: ACK (acknowledges B's FIN)

This reduces the exchange to three segments.

The RST (Reset) flag immediately and abruptly terminates a TCP connection. Unlike FIN's graceful closure, RST discards any outstanding data and ends the connection without negotiation.

When RST is Generated:

1. No listener on port: Connection attempt to closed port
2. Segment for non-existent connection: Data arrives for unknown four-tuple
3. Application abort: Application explicitly aborts (SO_LINGER = 0)
4. Resource exhaustion: System cannot handle more connections
5. Security measures: Firewall or IDS rejects connection

RST vs. FIN:

The PSH (Push) flag signals that the receiver should "push" buffered data to the application immediately rather than waiting to accumulate more data. It's a hint about data urgency, not a hard requirement.

PSH Semantics (Receiver Side):

• Without PSH: TCP may buffer data before delivering to application
• With PSH: TCP should deliver buffered data promptly

Common PSH Usage:

1. Interactive applications: Telnet, SSH send PSH to minimize latency
2. Request completion: HTTP request ends with PSH to indicate "process this now"
3. Small writes: Many implementations set PSH on final segment of each write()
4. Prompt delivery: Any time sender wants receiver to act immediately

Sender Behavior:

When an application makes a write() call, TCP buffering may delay transmission:

Without PSH: 
  write("GET / HTTP/1.1\r
") → Buffer, maybe wait for more data
  
With PSH:
  write("GET / HTTP/1.1\r
", MSG_PUSH) → Send immediately with PSH set

However, most TCP implementations automatically set PSH when:

• Sending the last segment of buffered data
• The send buffer becomes empty
• The application explicitly requests it

Modern Reality:

In practice, the PSH flag is often set automatically and rarely configured by applications. Modern operating systems typically set PSH on every segment that empties the send buffer, making it a nearly ubiquitous flag in TCP traffic.

The URG (Urgent) flag and its companion Urgent Pointer field implement out-of-band data delivery within the TCP stream. Urgent data can be processed before normally sequenced data, enabling time-sensitive signals.

URG Mechanism:

When URG is set:

1. The 16-bit Urgent Pointer field (bytes 18–19) becomes valid
2. Urgent Pointer = offset from sequence number to end of urgent data
3. Receiver should notify application of urgent data presence

Segment: Seq=1000, URG=1, UrgPtr=10, Data="URGENT!!!NORMAL"

Interpretation:
  Urgent data: bytes 1000-1009 ("URGENT!!!" - 10 bytes)
  Normal data: bytes 1010+ ("NORMAL")

Historical Ambiguity:

The original RFC 793 was ambiguous about whether Urgent Pointer points to the last byte of urgent data or one past it. Different implementations chose differently:

• BSD interpretation: Points to last byte of urgent data
• RFC 1122 clarification: Points to first byte after urgent data

This inconsistency caused interoperability problems, and modern systems follow RFC 1122.

Application Interface:

Unix/POSIX systems expose urgent data through:

/* Sender: Send out-of-band data */
send(sock, "!", 1, MSG_OOB);

/* Receiver: Check for urgent data */
int atmark;
ioctl(sock, SIOCATMARK, &atmark);
if (atmark) {
    recv(sock, buf, 1, MSG_OOB);  /* Receive urgent byte */
}

/* Or use SIGURG signal to be notified of urgent data */
fcntl(sock, F_SETOWN, getpid());
/* SIGURG delivered when urgent data arrives */

Security Implications:

Some intrusion detection systems have historically failed to properly handle urgent data, creating evasion opportunities. Fragmented urgent data across multiple segments could bypass detection of malicious content.

TCP flags aren't used in isolation—their combinations trigger state machine transitions that define the connection lifecycle. Understanding these combinations is essential for network debugging and security analysis.

Illegal or Suspicious Combinations:

Certain flag combinations are protocol violations or attack signatures:

Security tools use these anomalies for detection:

• Null scan: No flags set → May elicit different responses
• XMAS scan: FIN+PSH+URG → Some systems respond differently
• Maimon scan: FIN+ACK to closed port → Some systems don't RST

Beyond the original six flags, modern TCP includes three additional flags for Explicit Congestion Notification (ECN):

ECN Flags:

ECN Operation:

1. ECN capability negotiated via SYN exchange (ECE+CWR in initial SYN)
2. Routers mark IP header with Congestion Experienced (CE) when queues fill
3. TCP receiver sees CE mark, sets ECE flag in ACKs
4. TCP sender receives ECE, reduces congestion window, sets CWR
5. CWR signals to receiver: "I got your ECE, you can stop setting it"

We've explored the six classic TCP control flags and their modern extensions—the Boolean signals that govern every aspect of TCP connection management.

What's Next:

With flags controlling connection lifecycle and data delivery behavior, one critical piece remains: window size. The next page explores the window field—the mechanism that enables flow control by advertising available receive buffer space, ensuring senders don't overwhelm receivers.