Decoding Netflow TCP Flags
For the most part the fields in Netflow and IPFIX are self-explanatory - there's really no question what "Source Port" or "IPv4 Next Hop" fields are. Other fields aren't so straightforward, like the "TCP Flags" field. Lots of people know the typical TCP flags from learning the three-way handshake in basic networking (SYN, SYN-ACK, ACK). There are other flags too, like URG, RST, and FIN, but they aren't exported in a way that's spelled out.
Netflow v5 and v9 export TCP Flags as a numeric value, like "27". For all the different types of TCP flags out there, it all boils down to a single number that doesn't tell you much at first glance. This is where we have to do some special counting - binary. By counting in binary we can identify one or more flags that are set just from looking at one number.
First, we'll write out a line of binary numbers from right to left:
32 16 8 4 2 1
Then we'll match those numbers up with the corresponding TCP flags:
URG ACK PSH RST SYN FIN 32 16 8 4 2 1
This is what gives us the framework for counting. Start from the left and count to the right, adding together the numbers that make up the combination of your reported TCP flags.
For example, I just saw a flow with the TCP Flags field set to 18. Let's figure out what flags are set for that flow.
Starting from left to right, we'll add up numbers until we reach 18. We know that the URG flag wasn't set, because 32 is greater than 18, and that blows the math out of the water. ACK has a value of 16, which is less than 18, so it looks like the ACK flag was set. Here's what we have so far:
URG ACK PSH RST SYN FIN 32 16 8 4 2 1 -- X
There's still 2 left, so we need to find a flag or a combination of flags that equal 2. Continuing to the right, we can tell the PSH flag wasn't set, because 8 is more than the 2 we're still looking for, and again it blows the math right out of the water. The same goes for RST, because it's more than we need. The SYN flag, however, fits the bill as shown below:
URG ACK PSH RST SYN FIN 32 16 8 4 2 1 -- X -- -- X --
Adding the 16 (ACK) and the 2 (SYN) together gives us 18, the reported TCP flags in the flow.
This binary counting method works for all combinations of TCP flags, and allows us to report up to six possible flags being set in just one number. Unfortunately it takes a little legwork on our part to decipher it, but we also don't have to parse out a bunch of fields in the flow export just for TCP flags.
Here are some other quick examples, just to check your comprehension of the method:
TCP Flag: 24 - ACK, PSH
TCP Flag: 16 - ACK
TCP Flag: 2 - SYN
TCP Flag: 0 - Nothing