Netflow TCP Flags hexidecimal characters not representative of UAPRSF

Question

I'm attempting to perform some statistical analysis of netflow data from a dataset that was provided to me, however I am getting a number of TCP Flags that do not represent the normal UAPRSF format.

The following hex values have also been included:

• 0x52
• 0x5a
• 0xc2
• 0xd3
• 0xd6
• 0xd7
• 0xda
• 0xdb
• 0xdf

I understand that the TCP flag is originally stored as HEX and then translated into the appropriate flags, but I don't understand where the additional values are coming from

Answer 1

There are an additional 3 ECN Bits immediately prior to the 6 control bits used to describe the TCP Flags. (see http://www.networksorcery.com/enp/protocol/tcp.htm)

Following the explanation provided in the below link, you can translate the additional hexadecimal values into flags including the ECN bits: https://www.manitonetworks.com/flow-management/2016/10/16/decoding-tcp-flags

|   N   |   C   |   E   |   U   |   A   |   P   |   R   |   S   |   F   |    Hex   |    Binary   |
|  256  |  128  |   64  |   32  |   16  |   8   |   4   |   2   |   1   |          |             |
|------------------------------------------------------------------------------------------------|
|   0   |   0   |   1   |   0   |   1   |   0   |   0   |   1   |   0   |   0x52   |   1010010   |
|       |   1   |   1   |   0   |   1   |   1   |   1   |   1   |   1   |   0xdf   |   11011111  |

So 0x52 = ..E.A..S.