CODEWITHSUNDEEP
amazon-web-servicesamazon-vpcaws-application-load-balancer
Neelesh Gurjar
Neelesh Gurjar

Reputation: 127

AWS VPC FlowLog - What is TCP Flag 6?

I am getting TLS Negotiation Error on Public ALB.

To debug this, I initiated Curl Request to my public ALB using curl with older TLS Version.

I did not get anything on ALB Access Logs.

So I checked in VPC Flow Logs. I found that all requests are accepted.

However in TCP Flag field, I am getting number 6.

As per AWS Documentation https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html, there are only 4 TCP Flags:

FIN — 1
SYN — 2
RST — 4
SYN-ACK — 18

So what is TCP Flag 6 in VPC Flow Log? and is it related with TCP Negotiation Error?

Upvotes: 2

Views: 938

Answers (2)

pete911
pete911

Reputation: 819

As previous comment from @MichaelM explains, flow log tcp flags can be combined. It is really hard to parse numeric tcp flags, that's why I created my own tool to create and query flow logs, where I convert these numeric flags to actual tcp flags - https://github.com/pete911/flowlogs.

If you are not interested in the tool, this is the place where the parsing (from binary to flag) happens - https://github.com/pete911/flowlogs/blob/main/internal/aws/query/tcp.go#L37. Hopefully this helps to illustrate how it works and/or to create your own parser.

Upvotes: 0

MichaelM
MichaelM

Reputation: 1099

I believe the documentation you linked has been updated since you posted this question. It now includes the following text:

TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN. For an example, see TCP flag sequence.

In other words, the tcp-flags are bit masks meaning they can be combined to create unique numbers. These combinations happen when multiple requests occur within the "aggregation interval" of the flow logs.

Therefore, a 6 is going to be a combination of 4 + 2 since two records were combined into a single, aggregated record. So you received two messages, a SYN and a RST.

For more information about the aggregation interval, check out the "Aggregation interval" section of the "Logging IP traffic using VPC Flow Logs" article.

Upvotes: 1

Related Questions