A Real Wireshark Quirk

Ok, what is the deal with this? (By the way, I don't care if this sounds like mindless rambling. It's late on a Saturday night and I'm analyzing traffic. W00t.)

Here are TCP flags from a random segment.

Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set

TCP flags occupy 1 byte, and that's it. Why does Wireshark/etc. say

Flags: 0x0018 (PSH, ACK)

Why not

Flags: 0x18 (PSH, ACK)

that instead?

Comments

Martin Roesch said…
Because someone did printf("0x%04X", tcph->th_flags); instead of printf("0x%02X", tcph->th_flags); ?

Looks like a little formatting bug to me...
Anonymous said…
That extra byte is for Unicode TCP flags, part of the IPV4i standard. :)

- Matt
Anonymous said…
Flags: 0x0018 (PSH, ACK)- The 18 is a hexadecimal value, indicated by the small 'x' before the two zeros. Eighteen in hex. is equal to 24 in decimal, which is the same as the binary value represented by the flag bits (00011000 = 24).
Anonymous,

I know x means hex. I know 24 decimal is 0x18. I was asking why show 0x0018 instead of 0x18, since TCP flags occupy one byte ("18") and not two "0018"). I think Marty's explanation is right.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4