Saturday, October 4, 2025

Understanding TCP Flags: The Control Bits of TCP Connections

Transmission Control Protocol (TCP) is one of the pillars of internet communication. It ensures reliable, ordered, and error-checked delivery of data between systems. Behind the scenes, TCP relies on flags — small control bits in the TCP header — to manage the lifecycle and flow of a connection.

These TCP flags signal events such as connection setup, acknowledgment of data, or termination of a session. Without them, the reliable communication we take for granted wouldn’t be possible.

TCP flags may only be single bits in a header, but they play a critical role in how the internet functions. From establishing connections to managing congestion and closing sessions, these control bits define the entire TCP lifecycle.

Whether you’re analyzing network packets with Wireshark, troubleshooting a connection issue, or just curious about how the internet really works — understanding TCP flags is essential.

The TCP header contains several one-bit boolean fields known as flags used to influence the flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification, there are six TCP control flags. Four of these (SYN, FIN, ACK, RST) are used to control the establishment, maintenance, and tear-down of a TCP connection.

Acronym

Name

Meaning

SYN

Synchronization

Used to create a TCP connection (Initiates a connection)

ACK

Acknowledgment

Used to acknowledge the reception of data or synchronization packets

PSH

Push

Instruct the network stacks to Bypass the buffering(MSS size) I,e Asks to push the entire buffered data to receiving application immediately

URG

Urgent

Indicates out-of-band data that must be processed by the network stacks before normal data I, Bypass the queue

FIN

Finish

Gracefully terminate the TCP connection

RST

Reset

Immediately terminate the connection and drop any in-transit data

 

What Are TCP Flags?

Each TCP packet has a header that contains several fields, including flags (control bits). These flags are 1-bit markers that indicate how a packet should be interpreted. By setting or clearing these bits, devices coordinate connection states, error recovery, and data transfer behaviors. 

The 6-bit Flags field is used to relay control information between TCP peers. The possible flags include SYN, FIN, RESET, PUSH, URG, and ACK.

  1. URG: Urgent pointer is valid
  2. ACK: Acknowledgement Number is valid
  3. PSH:  PUSH Flag
  4. RST: Reset the connection
  5. SYN: Synchronize sequence numbers
  6. FIN:  Sender is finished with sending
  • The SYN and FIN flags are used when establishing and terminating a TCP connection, respectively.
  • The ACK flag is set any time the Acknowledgement field is valid, implying that the receiver should pay attention to it.
  • The URG flag signifies that this segment contains urgent data. When this flag is set, the UrgPtr field indicates where the non-urgent data contained in this segment begins. The following bytes contains an utgent message in the range: (SeqNo <= urgent message <= SeqNo+urgent pointer)
  • The PUSH flag signifies that the sender invoked the push operation, which indicates to the receiving side of TCP that it should notify the receiving process of this fact. Normally set by sender when the sender’s buffer is empty
  • Finally, the RESET flag signifies that the receiver has become confused and so wants to abort the connection. 


 
Synchronization (SYN) – It is used in first step of connection establishment phase or 3-way handshake process between the two hosts. Only the first packet from sender as well as receiver should have this flag set. This is used for synchronizing sequence number i.e. to tell the other end which sequence number they should accept. During the 3-way handshake we are able to count a total of 2 SYN flags transmitted, one by each host. 
  • Purpose: Initiates a TCP connection.
  • Usage: Part of the three-way handshake (SYN → SYN-ACK → ACK).
  • Example: When your browser connects to a web server, it first sends a SYN packet. 
  • Wireshark View : tcp.flags.syn == 1 && tcp.flags.ack == 0 
 
 
 
Acknowledgement (ACK) – It is used to acknowledge packets which are successful received by the host. The flag is set if the acknowledgement number field contains a valid acknowledgement number.  
  • Purpose: Confirms receipt of data.
  • Usage: Present in almost all TCP segments after the connection is established.
  • Example: If Host A sends data, Host B responds with an ACK to confirm successful receipt.

After the connection is established, data is sent and acknowledged by both sides. Each peer in the connection maintains a couple of counters:

  • The sequence counter, which counts the number of bytes sent
  • The acknowledgment counter, which counts the number of bytes received

 

The following sequence diagram illustrates how this works:

The number of bytes that have been sent but not acknowledged yet is called the “TCP window.” There are actually two TCP windows, one for each peer in the TCP connection. In the diagram above, the TCP window before the right side’s last packet is 90 bytes. The size of TCP windows is limited to 65,535 bytes in the original TCP specification, but this can be increased through TCP extensions.

A packet with the ACK flag set is used to acknowledge the bytes received by a peer. It is used in combination with the acknowledgment counter to inform the other peer of the last bytes received. This information is then used to determine whether some packets have been lost, in which case the sending peer will retransmit the lost packets.

  
Finish (FIN) - Graceful termination

 It is used to request for connection termination i.e. when there is no more data from the sender, it requests for connection termination. This is the last packet sent by sender. It frees the reserved resources and gracefully terminates the connection. 

One peer of the TCP connection can signal to the other that it wants to terminate the connection by sending a packet with a FIN flag. The other side then acknowledges that by sending a packet with both the FIN and ACK flags set and can then proceed to terminate its side of the connection. This four-way handshake is illustrated in the diagram below:

When the connection is terminated, any buffered or in-transit data will still be processed. In fact, any peer that didn’t send a FIN packet is still allowed to send data. This is rare in practice, as a higher-level protocol (HTTP, for example) usually has its own mechanism to signal that the connection is ending and that no more data needs to be sent by either side.

  • Purpose: Gracefully ends a connection.
  • Usage: Used when one side has no more data to send.
  • Example: After a file transfer is complete, the sender transmits a FIN flag to signal termination.
  • Wireshark View : tcp.flags.fin == 1 

 

Reset (RST) – Aborting a connection

Either side of the TCP connection can decide to abort the connection. This is done when the peer in question believes the connection should not exist for some reason. In such a case, one peer sends a packet with the RST flag set. The other peer, upon reception of the RST packet, must immediately stop sending any data.

When a connection is aborted in such a way, data in transit and buffered data is lost. So there is the potential for data loss, but this shouldn’t be a problem if this connection wasn’t valid to start with. RST packets are rare in real life and are probably used more for nefarious purposes than legitimate ones.

It is used to terminate the connection if the RST sender feels something is wrong with the TCP connection or that the conversation should not exist. It can get send from receiver side when packet is send to particular host that was not expecting it. 

  • Purpose: Immediately terminates a connection.
  • Usage: Used when something goes wrong (e.g., data sent to a closed port).
  • Example: If you send data to a port where no service is listening, the host replies with an RST. 
  • Wireshark View : tcp.flags.reset == 1 

Aspect

FIN (Finish)

RST (Reset)

Connection Termination

Graceful

Abortion

Termination Process

Uses a 4-way handshake (FIN → ACK, FIN → ACK)

Immediately closes the connection without handshake

Buffered Data

No data loss – remaining data is transmitted before closing

Data is discarded/dropped – in-flight data may be lost

Typical Usage

Normal TCP connection closure (e.g., after HTTP response, file transfer, email delivery)

Errors, invalid packets, closed ports, attacks, or out-of-ordinary connection events

Behavior

Signals: “I’m done sending, but I’ll still receive until you’re done.”

Signals: “Stop right now, something’s wrong.”

Impact on Applications

Application sees a clean end-of-stream (EOF)

Application may see an abrupt error or timeout

Wireshark Filter

tcp.flags.fin == 1

tcp.flags.reset == 1

Example

After downloading a file, the server sends a FIN to close politely

Connecting to port 81 on a server with no service listening results in an RST

  Push (PSH) – Bypass Sending/Receiving Buffer Size(MSS) For Pushed Data

The PSH flags instruct the operating system to send (for the sending side) and receive (for the receiving side) the data immediately. In other words, this flag instructs the operating system’s network stack to send/receive the entire content of its buffers immediately without waiting for the buffer (MSS) to become full on both sender and receiver end. 

TCP operates at layer four of the OSI model; it presents to upper layers a simple socket which can be read from and written to, masking the complexities of packet-based communications. To allow applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection in both directions.

When an application layer sends the data, it is temporarily queued in the TCP buffer, a special area in the memory, until the segment has reached a certain size (called MSS). So if we send a character it won't send it immediately but Transport layer by default waits for some time for application layer to send enough data equal to maximum segment size (MSS) and is then sent to the receiver so that the number of packets transmitted on network minimizes. When the segment arrives at the receiving end, it is placed in the TCP incoming buffer before it is passed onto the application layer. The data queued in the incoming buffer will remain there until the other segments arrive and, once this is complete, the data is passed to the application layer that's waiting for it.

 The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and send the segment immediately to network layer as soon as it receives signal from application layer. Similarly when the receiver receives the segment with PSH flag set, should forward the data immediately to the application layer without waiting for the receive buffer to become full.

 This design guarantees that the data transfer is as efficient as possible, without waisting time and bandwidth by creating multiple segments, but combining them into one or more larger ones.It is not desirable by some application like interactive applications (chatting) I,e when we want data to go straight on the wire without any waiting time then there the PUSH function comes in. If we PUSH data then the TCP will immediately create a segment (or a few segments) and push them. But the story doesn't stop here. When the peer TCP receives the data, it will naturally buffer them it won't disturb the application for each and every byte. Here's where the PSH flag kicks in. If a receiving TCP sees the PSH flag it will immediately push the data to the application.

The practical example of this is the telnet application where the application sends data in the form of few keystrokes. The telnet will become unusable if it waits for the buffer to become full and then transits the data to the receiver. One more example is real player, where data must be sent and processed (by the receiver) immediately to ensure a smooth stream without any cut offs.

There's no API to set the PSH flag. Typically it is set by the kernel when it empties the buffer I,e the buffer used at sender side has been emptied in conjunction with sending the packet. This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. When the packet with the PSH bit field set left the sender, the sender had no more data to send.

The socket that TCP makes available at the session level can be written to by the application with the option of "pushing" data out immediately, rather than waiting for additional data to enter the buffer. When this happens, the PSH flag in the outgoing TCP packet is set to 1 (on). Upon receiving a packet with the PSH flag set, the other side of the connection knows to immediately forward the segment up to the application. To summarize, TCP's push capability accomplishes two things:

  • The sending application informs TCP that data should be sent immediately.
  • The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately.

 

 

  • Purpose: Instructs the receiver to deliver data to the application immediately.
  • Usage: Ensures no unnecessary buffering delays.
  • Example: Used in interactive applications like SSH or Telnet, where keystrokes must appear instantly.
  • Wireshark View: tcp.flags.push == 1 

Urgent (URG) – Bypass Sending/Receiving Queue For Urgent Data

This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

An Urgent Pointer could be used during a stream of data transfer where a host is sending data to an application running on a remote machine. If a problem appears, the host machine needs to abort the data transfer and stop the data processing on the other end. Under normal circumstances, the abort signal will be sent and queued at the remote machine until all previously sent data is processed, however, in this case, we need the abort signal to be processed immediately.

By setting the abort signal's segment Urgent Pointer flag to '1', the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing.

 Real-life example:

At your local post office, hundreds of trucks are unloading bags of letters from all over the world. Because the amount of trucks entering the post office building are abundant, they line up one behind the other, waiting for their turn to unload their bags. As a result, the queue ends up being quite long. However, a truck with a big red flag suddenly joins the queue and the security officer, whose job it is to make sure no truck skips the queue, sees the red flag and knows it's carrying very important letters that need to get to their destination urgently. By following the normal procedures, the security officer signals to the truck to skip the queue and go all the way up to the front, giving it priority over the other the trucks. In this example, the trucks represent the segments that arrive at their destination and are queued in the buffer waiting to be processed, while the truck with the red flag is the segment with the Urgent Pointer flag set.

Data inside a segment with URG = 1 flag is forwarded to application layer immediately even if there are more data to be given to application layer. It is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received.

The URG bit, if set prioritizes the data, meaning thereby instead of waiting for the entire byte stream to be transmitted which is ahead of the "Urgent" data, the urgent data will be sent on urgent basis and will not wait for the entire byte stream to be transmitted which is ahead of it. When the URG bit is set the Urgent Pointer is also set (in the TCP header Options field: 16 bit). The URG pointer tells how many bytes of the data is urgent in the segment that has arrived. (Example if the data size is 100 bytes and only first 50 bytes is urgent, the urgent pointer will have a value of 50). When you send urgent data, your TCP creates a special segment in which it sets the URG flag and also the urgent pointer field. This causes the receiving TCP to forward the urgent data on a separate channel to the application (for instance on Unix your process gets a SIGURG). This allows the application to process the data out of band¹.

The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent.

The URG flag is used to signal “urgent” data that should be prioritized over non-urgent data. This is used to send so-called “out-of-band data,” which is treated in a special way by the operating system and usually signals some kind of exception in the application protocol. Note that in practice, this feature of TCP is seldom used.

public void sendUrgentData(int data) throws IOException
public void setOOBInline(boolean on) throws SocketException
public boolean getOOBInline() throws SocketException
  • Purpose: Marks data as urgent, requiring priority processing.
  • Usage: Works with the Urgent Pointer field to highlight critical data.
  • Example: Rarely used today, but was historically important for signaling interrupts.

Difference between PUSH and URG

Suppose the receiving buffer has already some data to be processed by the application. A segment with the PSH flag set to 1 is sent now. The sending buffer will not wait to be filled, instead, it will immediately push the entire data of its buffers into the wire. Now, this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed then only the data with PSH=1 can be forwarded to the application on receiver end.

When URG is set, the data can be immediately forwarded to the application ignoring the already existent data in the receiving buffer. In other words, URG=1 violates the FIFO structure.

The major difference between PSH=1 and URG=1 is that the former follows the ordering of the data in the receiving buffer whereas the latter doesn't and that's why the name is URG i.e. to send urgent data.

 

PSH flag will carry the buffer memory size, where the URG flag will carry the address of that memory. PSH flag will help the packet transmission little bit faster. URG flag is only used for when any urgently required packet is send to the destination or server.

 

PSH

URG

All data in buffer to be pushed to NL(sender)/AL(receiver)

Only the urgent data to be given to AL immediately

Data is delivered in sequence I,e follows the ordering of the data in the receiving buffer.

Data is delivered out of sequence I,e ignoring the already existent data in the receiving buffer

PSH=1 follows the FIFO structure.

URG=1 violates the FIFO structure.

It Bypass the buffer size I,e not wait until buffer to get full of MSS size on sender and receiver end. Sender will send entire buffered content immediately and receiver also forward entire buffer content immediately. But this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed from buffer then only the data with PSH=1 can be forwarded to the application on receiver end.

  

It Bypass the Queue in order to send and receive urgent data. This causes the receiving TCP to forward the urgent data on a separate channel to the application.

No separate channel will get created on receiving TCP to forward the buffered data to application.

A Separate channel will get created to forward urgent data from buffered data to application.

ECE (ECN Echo) and CWR (Congestion Window Reduced)

  • Purpose: Handle congestion control with Explicit Congestion Notification (ECN).
  • Usage:
    • ECE: Signals that congestion was experienced.
    • CWR: Sent by the sender to acknowledge that it reduced its congestion window.
  • Example: Helps prevent packet drops by adapting transmission rates under heavy traffic.
  • Wireshark View : tcp.flags.ecn == 1 

Putting It All Together: A Typical TCP Lifecycle

  • Connection Establishment (3-Way Handshake):
    • SYN → SYN-ACK → ACK
  • Data Transfer:
    • ACK confirms delivery
    • PSH ensures real-time transmission when required
  • Congestion Handling:
    • ECE and CWR help balance traffic load
  • Connection Termination:
    • Graceful shutdown with FIN
    • Abrupt termination with RST 

 TCP Flags Quick Reference Table with examples included:

Flag

Full Form

Purpose

Typical Use Case

Example

SYN

Synchronize

Initiates a connection

Connection handshake

When you open a browser and visit https://example.com, your system sends a SYN packet to the server.

ACK

Acknowledgment

Confirms receipt of data

Data acknowledgment

After receiving a web page chunk, your computer sends an ACK back to the server.

FIN

Finish

Gracefully closes a connection

End of data transfer

After a file download completes, the client sends a FIN to indicate no more data will be sent.

RST

Reset

Abruptly ends connection

Error / closed port

If you connect to port 81 on a server where no service is listening, it replies with an RST.

PSH

Push

Deliver data immediately to application

Interactive sessions

In SSH, when you press a key, a PSH ensures the keystroke is sent to the remote host without delay.

URG

Urgent

Prioritize urgent data

Legacy signals

Telnet once used URG to send interrupt commands (Ctrl+C) immediately.

ECE

ECN Echo

Reports congestion

ECN-enabled networks

A router experiencing congestion sets ECN, and the receiver returns an ECE flag to notify the sender.

CWR

Congestion Window Reduced

Acknowledges congestion handling

ECN acknowledgment

After receiving ECE, the sender reduces its window and marks the next packet with CWR.

 Difference Between PSH and URG Flags

Aspect

PSH (Push)

URG (Urgent)

Purpose

Ensures data is delivered immediately to the application (no waiting for buffer fill).

Marks part of the data stream as urgent, using the Urgent Pointer field.

Scope

Affects all data in the segment – tells the receiver to push buffered data up.

Applies only to a portion of the data marked as urgent.

Use Case

Interactive or real-time applications (e.g., SSH, Telnet, chat).

Sending interrupt or control signals (e.g., abort/kill command in Telnet).

Modern Usage

Still relevant in real-time/low-latency communications.

Rarely used today; largely obsolete in modern protocols.

Example

When you press a key in SSH, PSH ensures the keystroke reaches the server immediately.

In legacy Telnet, pressing Ctrl+C would set URG to signal an interrupt.

 Difference Between RST and FIN Flags

Aspect

FIN (Finish)

RST (Reset)

Purpose

Gracefully closes a TCP connection.

Abruptly terminates a TCP connection.

Behavior

Tells the peer: “I have finished sending data, but I can still receive.”

Tells the peer: “Something went wrong, stop immediately.”

Connection State

Allows a proper four-way handshake to close the session.

Immediately drops the connection without a handshake.

Use Case

Normal end of a session (e.g., after file transfer or HTTP response).

Error conditions, invalid packets, closed ports, or abnormal termination.

Impact on Data

Ensures all in-flight data is delivered before closing.

Discards any in-flight data — data may be lost.

Example

After downloading a file, the server sends a FIN to close the session cleanly.

If you connect to a closed port on a server, it responds with an RST.

Wireshark Filter

tcp.flags.fin == 1

tcp.flags.reset == 1

 

No comments:

Post a Comment