flags

The flags keyword is used to check if specific TCP flag bits are present.

The following bits may be checked:

F

- FIN - Finish (LSB in TCP Flags byte)

S

- SYN - Synchronize sequence numbers

R

- RST - Reset

P

- PSH - Push

A

- ACK - Acknowledgment

U

- URG - Urgent

C

- CWR - Congestion Window Reduced (MSB in TCP Flags byte)

E

- ECE - ECN-Echo (If SYN, then ECN capable. Else, CE flag in IP header is set)

0

- No TCP Flags Set

The following modifiers can be set to change the match criteria:

+

- match on the specified bits, plus any others

*

- match if any of the specified bits are set

!

- match if the specified bits are not set

To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with CWR and ECE set, an option mask may be specified. A rule could check for a flags value of S,CE if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits.