Knowledge Search


×
 

[Contrail] TCP flags in vRouter Agent TCP flows explained with examples

  [KB33567] Show Article Properties


Summary:

When a vRouter Agent builds TCP flows, it uses different variables to indicate flow status. A "TCP flag" is one of the variables reflected in the flow table, which is updated whenever a new TCP flag is received in the flow during TCP interaction.

This article ‚Äčexplains some of the commonly seen flags in TCP flow entries.

 

Solution:

Some of the commonly seen TCP flags in a TCP flow entry are as follows:

  • S: Sync Received

  • Sr: Reverse Sync Received

  • E: Established

  • Er: Reverse Flow Established

  • F: Fin Received

  • Fr: Reverse Fin Received

  • C: TCP Half Close

 

SSrEEr

When a TCP flow gets established, the TCP flags show SSr, which indicates that bidirectional TCP SYN has been received. When a session is fully established, its status is indicated by the EEr flag in the flow entry.

Example flow entry

Listing flows matching ([4.4.4.200]:22)

    Index                Source:Port/Destination:Port                      Proto(V)
-----------------------------------------------------------------------------------
   387368<=>516872       4.4.4.5:60139                                       6 (1)
                         4.4.4.200:22
(Gen: 1, K(nh):13, Action:F, Flags:, TCP:SSrEEr, E:1, QOS:-1, S(nh):0,
                                         

 Stats:759/53415,  SPort 62432, TTL 0, Sinfo 23.0.0.0)
   516872<=>387368       4.4.4.200:22                                        6 (1)
                         4.4.4.5:60139
(Gen: 1, K(nh):13, Action:F, Flags:, TCP:SSrEEr, QOS:-1, S(nh):0,  Stats:750/80453,
 SPort 56830, TTL 0, Sinfo 172.18.102.80)
 

S or Sr Only

When there is only TCP:S in the flow, it indicates that the TCP SYN flag has been received, but no ack has come for it yet. It means that the flow is still waiting to be fully established. The reverse flow will show the corresponding TCP:Sr flag.

Example

root@comp106:~# flow --match "4.4.4.100"
Flow table(size 80609280, entries 629760)

Entries: Created 431960 Added 431960 Deleted 863738 Changed 863738 Processed 431960 Used Overflow entries 0
(Created Flows/CPU: 149 312 528 19760 1225 57799 592 18899 539 12487 583 7534 237 261830 197 5231 2182 4647 1491 3088 1303 19875 1576 9896)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead


Listing flows matching ([4.4.4.100]:*)

    Index                Source:Port/Destination:Port                      Proto(V)
-----------------------------------------------------------------------------------
    17896<=>426212       4.4.4.14:40514                                      6 (8)
                         4.4.4.100:22
(Gen: 13, K(nh):70, Action:F, Flags:, TCP:S, QOS:-1, S(nh):0,  Stats:4/296,
 SPort 51482, TTL 0, Sinfo 7.0.0.0)

   426212<=>17896        4.4.4.100:22                                        6 (8)
                         4.4.4.14:40514
(Gen: 21, K(nh):70, Action:F, Flags:, TCP:Sr, QOS:-1, S(nh):0,  Stats:0/0,
 SPort 56177, TTL 0, Sinfo 0.0.0.0)
 

FFr and FFrC

When a TCP FIN is received, the flow entry is updated with an additional "F" flag, which is followed by a wait for the reverse FIN packet's arrival. When the reverse FIN is received, another flow flag update is triggered with Fr, which is followed by a wait for the TCP disconnection process to be finished (HalfClose).

In normal scenarios, the whole TCP disconnection process completes very fast and the flow entry is cleared immediately. In this case, you may not be able to see the flows with the TCP FIN flags.

However, in some cases (for example, if VNF or the vRouter Agent has problems), you will see the transient status for a while. In a lab environment, these transient statuses can be observed by using a firewall filter to hold some of the TCP packets with certain flags.

Example

Listing flows matching ([172.18.101.103]:179, [172.18.79.79]:*)

  Index                Source:Port/Destination:Port                     Proto(V)
  522980<=>64576        172.18.101.103:179                              6 (0->1)
                        172.18.79.79:50003
(Gen: 117, K(nh):5, Action:N(SDPd), Flags:, TCP:SSrEErFFr, E:0, QOS:-1, S(nh):0,
Stats:597/37664,  SPort 60187, TTL 0, Sinfo 0.0.0.0)


Listing flows matching ([4.4.4.1]:179, [4.4.4.100]:*)

    Index                Source:Port/Destination:Port                      Proto(V)
    64576<=>522980       4.4.4.100:50338                                     6 (1->0)
                         4.4.4.1:179
(Gen: 4, K(nh):90, Action:N(SPsD), Flags:, TCP:SSrEErFFrC, QOS:-1, S(nh):0,
 Stats:587/44901,  SPort 50499, TTL 255, Sinfo 7.0.0.0)


Listing flows matching (Protocol TCP)

    Index                Source:Port/Destination:Port                      Proto(V)
-----------------------------------------------------------------------------------
   278108<=>522980       4.4.4.100:51196                                     6 (1->0)
                         4.4.4.1:179
(Gen: 1, K(nh):89, Action:N(SPsD), Flags:, TCP:SSrEErFFrC, QOS:-1, S(nh):0,
 Stats:19/1681,  SPort 49837, TTL 255, Sinfo 6.0.0.0)

   522980<=>278108       172.18.101.103:179                                  6 (0->1)
                         172.18.79.79:50003
(Gen: 134, K(nh):5, Action:N(SDPd), Flags:, TCP:SSrEErFFr, E:1, QOS:-1, S(nh):0,
 Stats:29/2687,  SPort 57514, TTL 0, Sinfo 0.0.0.0)
 

No flags

Non-TCP flows will not have any TCP flags in the flow.

Sometimes, a TCP flow may have no TCP flags at all. This is normal if the TCP traffic has stopped for a while and is starting again. In this case, the old flow times out and a new flow is triggered by the TCP packet, which carries no TCP flags.

Example

Listing flows matching ([4.4.4.200]:22)

    Index                Source:Port/Destination:Port                      Proto(V)
-----------------------------------------------------------------------------------
     1916<=>21800        4.4.4.200:22                                        6 (1)
                         4.4.4.5:60137
(Gen: 4, K(nh):13, Action:F, Flags:, TCP:, QOS:-1, S(nh):0,  Stats:76/7504,
 SPort 52277, TTL 0, Sinfo 172.18.102.80)

    21800<=>1916         4.4.4.5:60137                                       6 (1)
                         4.4.4.200:22
(Gen: 4, K(nh):13, Action:F, Flags:, TCP:, E:1, QOS:-1, S(nh):0,  Stats:113/8998,
 SPort 56861, TTL 0, Sinfo 23.0.0.0)

 

Related Links: