LIVE NEWSROOM · --:-- · May 26, 2026
A LIBRARY FOR SECURITY RESEARCHERS
Scanning Network #ethical hacking #flags #information gathering

What are TCP/IP communication flags?

TE Team Ciphers Security · Jul 16, 2023 · 5 min read · 4.2k reads
Post on X LinkedIn
What are TCP/IP communication flags?

TCP transmission control protocols have communication flags in their header for controlling and managing the communication between two internet devices.

The communication flags are embedded in the TCP headers for control and indication of a specific condition or action that is related to the transmission of the data.

Here six flags manage the connection between the internet devices and give instructions to the system. the main four flags in the TCP header (SYN, ACK, FIN, and RST) are responsible for the establishment, maintenance, and termination of the connection over the network.

The two other flags which are (PSH and URG) give the proper instruction to the system. The size of each flag is 1 bit. so there are 6 flags in the TCP flag section then the total size will be 6 bits.

For turning on any flag we need to set the value of that flag to 1 which will automatically trigger that flag in active state.

TCP header format
TCP header format

// 01 Different communication flags in the TCP header

There are a total of 8 main communication flags available in the TCP header. here is a basic flag list you can go through:-

  1. Synchronize or SYN flag: It will generate the notification of any new sequence number transmission. This flag often denotes the three-way handshake that establishes a connection between two hosts.
  2. Acknowledgment or ACK flag: This flag is used to confirm the receipt of transmission and identifies the next expected sequence number. after the device successfully receives an SYC packet then the acknowledgment flag will set the value of its flag to 1 implying that the receiver should pay attention to it.
  3. Push or PSH flag: when the ACK flag will set the flag value to 1, then it indicates that the sender raised both operations to the receiver. This indicates that the remote system needs to inform the receiving application about the buffer data that is coming from the sender side. the system raises the push flag at the start and the end of the data transfer and sets it on the last segment of a file to prevent buffer deadlock. 
  4. Urgent or URG flag: the urgent flag is used in instructing the system for processing the data contained in the packet as soon as possible. it is used when the data in the segment requires immediate attention from the receiving application. when the system sets the flag to 1, then the priority will be given to that flag for the processing of the data at first by stopping all other data processing.
  5. Finish or FIN flag: this flag is used for the termination of the connection established by the SYN flag. when the value is set to 1 then it will announce that there is no more transmission will be sent to the remote system and then the transmission will be terminated.
  6. Reset or RST flag: this flag is used when there is any error that occurs in the transmission then this flag will reset the connection and allows the system to start over. most of the time attackers use this flag for scanning active hosts and for identifying open ports in the system. In simple terms, we can say that the reset flag is used for resetting or aborting the current transmission between the devices. 

Note:- The SYN scanning techniques mainly use these three flags:- SYN, ACK, and RST. we can gather very legitimate information from the server during the enumeration phase with these three flags.

// 02 How TCP/IP communication works

We know that TCP is a connection-oriented protocol because TCP will first establish the connection before transferring any data between the application. The connection established with this protocol is possible with the help of the three-way handshake technique. 

Let’s understand the mechanism behind the Three-way handshake technique :

three-way handshake
  1. For establishing the connection using TCP protocol the source system (10.0.0.1:21) needs to send the SYN packet to the destination system (10.0.0.2:21)
  2. After receiving the SYN packet, the destination system (10.0.0.2:21) will send the response with the SYN/ACK packet to the source system (10.0.0.1:21).
  3. Now the ACK packet will confirm to the source system (10.0.0.1:21) that the sync packet is received by the destination system (10.0.0.2:21).
  4. Now the source system (10.0.0.1:21) will send an ACK packet in the response of ACK/SYN packet transmitted by the destination system (10.0.0.2:21)
  5.  This will establish a successful connection between the two devices now they will be able to communicate between the source and destination for transferring data between them, this connection will last long until one of them will send FIN or RST packet for terminating the connection.

this is the overview of the three-way handshake mechanism for initiating a TCP session between the devices over the network. 

// 03 How to terminate a TCP connection

TCP connection termination sequence

After completing all the data transfers between the devices over the network with the help of the TCP connection protocol one of the system needs to send FIN or RST packet for terminating the connection. 

so a sender needs to send the termination request to the opposite party by sending a FIN or RST packet. after receiving the FIN or RST packet the receiver will acknowledge the termination request by sending an acknowledgment packet to the sender, and then he will finally send its own FIN packet, then after the system terminates the established TCP connection between the devices.

Related coverage on Ciphers Security

    TE
    Team Ciphers Security

    The Ciphers Security editorial team — practitioners covering daily threat intel, CVE deep-dives, and hands-on cybersecurity research. About us →

    Previous What is Network Scanning Next Network scanning tools for PC and Mobile devices

    Latest News

    PyTorch Lightning PyPI Backdoor: ML Supply Chain Audit and Credential Stealer Detection The PyTorch Lightning PyPI backdoor (versions 2.6.2–2.6.3) deployed a credential stealer targeting AWS keys and bro… Dual Ransomware Gang Attack: When ShinyHunters and Qilin Hit the Same Enterprise ShinyHunters and Qilin separately hit Cushman & Wakefield. Learn why dual ransomware gang attack enterprise in… Adversary-in-the-Middle Phishing MFA Bypass: Detecting the 35,000-User Microsoft 365 Campaign AitM phishing bypassed MFA for 35,000 Microsoft 365 users across 26 countries in 48 hours. Sentinel KQL queries and… Iran UAE Cyberattacks Triple: APT34, Mint Sandstorm, and the Critical Infrastructure Defense Playbook UAE breach attempts tripled to 600K/day after Iran conflict escalation. Map APT34, Mint Sandstorm & MuddyWater… Google GTIG: Chinese-Language PhaaS Ecosystem Rivals Russian Underground in Credential Theft Scale Google's Threat Intelligence Group analyzed a dozen Chinese-language phishing-as-a-service platforms now matching R… Anthropic Mythos Finds 23,000 Vulnerabilities in 1,000 OSS Projects — Patching Bottleneck Grows Anthropic's Mythos AI security scanner has identified over 23,000 potential vulnerabilities across 1,000 open-sourc… Underminr: DNS Bypass Flaw Lets Attackers Hide C2 Traffic Behind 88M Trusted Domains The Underminr vulnerability exploits SNI mismatches in shared CDN infrastructure to hide C2 connections behind trus… Project Glasswing: Claude Mythos AI Finds 10,000 Critical Flaws in Widely Used Software Anthropic's Project Glasswing reports Claude Mythos AI found 10,000+ high/critical vulnerabilities in 1,000+ open-s…
    Scroll to Top
    Ad