What are the meanings of the TShark tcp.flags.str labels?

Question

I am working with tshark and I've extracted a field called: tcp.flags.str. I'm having a hard time understanding the meaning of these field values. For example, a few strings might look like:

·······A····
··········S·
·······A···F
····C··AP···
RRR·CE····S·
·······A·R·F
·R···EUAPRSF
··RN········

I've worked out that the entire filled string is: RRRNCEUAPRSF, and I'm guessing that A: ACK, S: SYN, P: PUSH, U: URGENT, F: FIN, C: Congestion Window Reduced. Otherwise, I have no guesses other than that there are some R values, so somewhere there's a RESET and RESERVED, but I have no idea where. Where can I find some good documentation on this?

Answer 1

RFC 793 section 3.1 defines the original 6 TCP flags. RFC 3168 introduced the ECN-Echo and Congestion Window Reduced flags. RFC 3540 introduced the Nonce Sum flag, but which Wireshark/tshark refers to as Accurate ECN, presumably from RFC 7560. The remaining 3 bits of the TCP flags field are still marked as Reserved. Thus, RRRNCEUAPRSF stands for:

• RRR = Reserved for future use
• N = Nonce sum (NS, now referred to as "Accurate ECN")
• C = Congestion Window Reduced (CWR)
• E = ECN-Echo (ECE)
• U = Urgent (URG)
• A = Acknowledgement (ACK)
• P = Push (PSH)
• R = Reset (RST)
• S = Synchronize (SYN)
• F = Finish (FIN)