I'm attempting to perform some statistical analysis of netflow data from a dataset that was provided to me, however I am getting a number of TCP Flags that do not represent the normal UAPRSF format.
The following hex values have also been included:
- 0x52
- 0x5a
- 0xc2
- 0xd3
- 0xd6
- 0xd7
- 0xda
- 0xdb
- 0xdf
I understand that the TCP flag is originally stored as HEX and then translated into the appropriate flags, but I don't understand where the additional values are coming from
There are an additional 3 ECN Bits immediately prior to the 6 control bits used to describe the TCP Flags. (see http://www.networksorcery.com/enp/protocol/tcp.htm)
Following the explanation provided in the below link, you can translate the additional hexadecimal values into flags including the ECN bits: https://www.manitonetworks.com/flow-management/2016/10/16/decoding-tcp-flags
So 0x52 = ..E.A..S.