I am working with tshark and I've extracted a field called: tcp.flags.str. I'm having a hard time understanding the meaning of these field values. For example, a few strings might look like:
·······A····
··········S·
·······A···F
····C··AP···
RRR·CE····S·
·······A·R·F
·R···EUAPRSF
··RN········
I've worked out that the entire filled string is: RRRNCEUAPRSF, and I'm guessing that A: ACK, S: SYN, P: PUSH, U: URGENT, F: FIN, C: Congestion Window Reduced. Otherwise, I have no guesses other than that there are some R values, so somewhere there's a RESET and RESERVED, but I have no idea where. Where can I find some good documentation on this?
RFC 793 section 3.1 defines the original 6 TCP flags. RFC 3168 introduced the ECN-Echo and Congestion Window Reduced flags. RFC 3540 introduced the Nonce Sum flag, but which Wireshark/tshark refers to as Accurate ECN, presumably from RFC 7560. The remaining 3 bits of the TCP flags field are still marked as Reserved. Thus, RRRNCEUAPRSF stands for: