Saturday, August 26, 2006

A Real Wireshark Quirk

Ok, what is the deal with this? (By the way, I don't care if this sounds like mindless rambling. It's late on a Saturday night and I'm analyzing traffic. W00t.)

Here are TCP flags from a random segment.

Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set

TCP flags occupy 1 byte, and that's it. Why does Wireshark/etc. say

Flags: 0x0018 (PSH, ACK)

Why not

Flags: 0x18 (PSH, ACK)

that instead?

4 comments:

Martin Roesch said...

Because someone did printf("0x%04X", tcph->th_flags); instead of printf("0x%02X", tcph->th_flags); ?

Looks like a little formatting bug to me...

Matt said...

That extra byte is for Unicode TCP flags, part of the IPV4i standard. :)

- Matt

Anonymous said...

Flags: 0x0018 (PSH, ACK)- The 18 is a hexadecimal value, indicated by the small 'x' before the two zeros. Eighteen in hex. is equal to 24 in decimal, which is the same as the binary value represented by the flag bits (00011000 = 24).

Richard Bejtlich said...

Anonymous,

I know x means hex. I know 24 decimal is 0x18. I was asking why show 0x0018 instead of 0x18, since TCP flags occupy one byte ("18") and not two "0018"). I think Marty's explanation is right.