I'm attempting to perform some statistical analysis of netflow data from a dataset that was provided to me, however I am getting a number of TCP Flags that do not represent the normal UAPRSF format.
The following hex values have also been included:
I understand that the TCP flag is originally stored as HEX and then translated into the appropriate flags, but I don't understand where the additional values are coming from
There are an additional 3 ECN Bits immediately prior to the 6 control bits used to describe the TCP Flags. (see http://www.networksorcery.com/enp/protocol/tcp.htm)
Following the explanation provided in the below link, you can translate the additional hexadecimal values into flags including the ECN bits: https://www.manitonetworks.com/flow-management/2016/10/16/decoding-tcp-flags
| N | C | E | U | A | P | R | S | F | Hex | Binary |
| 256 | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | | |
|------------------------------------------------------------------------------------------------|
| 0 | 0 | 1 | 0 | 1 | 0 | 0 | 1 | 0 | 0x52 | 1010010 |
| | 1 | 1 | 0 | 1 | 1 | 1 | 1 | 1 | 0xdf | 11011111 |
So 0x52 = ..E.A..S.