├── README.md
└── netflow_tcpflags.py


/README.md:
--------------------------------------------------------------------------------
  1 | ## Some Stuff About NetFlow TCP Flags
  2 | NetFlow/IPFIX collectors typically include a decimal value that represents a cumulative bitwise-OR of the flags that are set in a TCP header across the NetFlow session. Sometimes the analyzer translates them for you, but sometimes it doesn't.
  3 | 
  4 | The accompanying Python script translates between those decimal values and their human-readable equivalents, e.g.:
  5 | ```
  6 |     19 = ACK SYN FIN
  7 | ```
  8 | Obviously, many of these combinations are invalid in normal TCP connections, but any of them could be seen given some creativity with a port scanner or packet generator.
  9 | 
 10 | 
 11 | ### References:
 12 | - NetFlow v5:
 13 |     - http://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html#wp1006186
 14 | - NetFlow v9:
 15 |   - https://www.ietf.org/rfc/rfc3954.txt (see section 8)
 16 | 
 17 | 
 18 | [RFC 3540](https://tools.ietf.org/html/rfc3540) defines an experimental ninth TCP flag, `NS`, for ECN-nonce
 19 | concealment protection. It appears to be rarely if ever used, so I default to excluding it.
 20 | However, the IANA IPFIX entities list standard explicitly lists it, so I include an option for it. I don't include any option to decode reserved bits.
 21 | 
 22 | Reference: http://www.iana.org/assignments/ipfix/ipfix.xhtml
 23 | 
 24 | ### The Whole List
 25 | ```
 26 | 0
 27 | 1 FIN
 28 | 2 SYN
 29 | 3 SYN FIN
 30 | 4 RST
 31 | 5 RST FIN
 32 | 6 RST SYN
 33 | 7 RST SYN FIN
 34 | 8 PSH
 35 | 9 PSH FIN
 36 | 10 PSH SYN
 37 | 11 PSH SYN FIN
 38 | 12 PSH RST
 39 | 13 PSH RST FIN
 40 | 14 PSH RST SYN
 41 | 15 PSH RST SYN FIN
 42 | 16 ACK
 43 | 17 ACK FIN
 44 | 18 ACK SYN
 45 | 19 ACK SYN FIN
 46 | 20 ACK RST
 47 | 21 ACK RST FIN
 48 | 22 ACK RST SYN
 49 | 23 ACK RST SYN FIN
 50 | 24 ACK PSH
 51 | 25 ACK PSH FIN
 52 | 26 ACK PSH SYN
 53 | 27 ACK PSH SYN FIN
 54 | 28 ACK PSH RST
 55 | 29 ACK PSH RST FIN
 56 | 30 ACK PSH RST SYN
 57 | 31 ACK PSH RST SYN FIN
 58 | 32 URG
 59 | 33 URG FIN
 60 | 34 URG SYN
 61 | 35 URG SYN FIN
 62 | 36 URG RST
 63 | 37 URG RST FIN
 64 | 38 URG RST SYN
 65 | 39 URG RST SYN FIN
 66 | 40 URG PSH
 67 | 41 URG PSH FIN
 68 | 42 URG PSH SYN
 69 | 43 URG PSH SYN FIN
 70 | 44 URG PSH RST
 71 | 45 URG PSH RST FIN
 72 | 46 URG PSH RST SYN
 73 | 47 URG PSH RST SYN FIN
 74 | 48 URG ACK
 75 | 49 URG ACK FIN
 76 | 50 URG ACK SYN
 77 | 51 URG ACK SYN FIN
 78 | 52 URG ACK RST
 79 | 53 URG ACK RST FIN
 80 | 54 URG ACK RST SYN
 81 | 55 URG ACK RST SYN FIN
 82 | 56 URG ACK PSH
 83 | 57 URG ACK PSH FIN
 84 | 58 URG ACK PSH SYN
 85 | 59 URG ACK PSH SYN FIN
 86 | 60 URG ACK PSH RST
 87 | 61 URG ACK PSH RST FIN
 88 | 62 URG ACK PSH RST SYN
 89 | 63 URG ACK PSH RST SYN FIN
 90 | 64 ECE
 91 | 65 ECE FIN
 92 | 66 ECE SYN
 93 | 67 ECE SYN FIN
 94 | 68 ECE RST
 95 | 69 ECE RST FIN
 96 | 70 ECE RST SYN
 97 | 71 ECE RST SYN FIN
 98 | 72 ECE PSH
 99 | 73 ECE PSH FIN
100 | 74 ECE PSH SYN
101 | 75 ECE PSH SYN FIN
102 | 76 ECE PSH RST
103 | 77 ECE PSH RST FIN
104 | 78 ECE PSH RST SYN
105 | 79 ECE PSH RST SYN FIN
106 | 80 ECE ACK
107 | 81 ECE ACK FIN
108 | 82 ECE ACK SYN
109 | 83 ECE ACK SYN FIN
110 | 84 ECE ACK RST
111 | 85 ECE ACK RST FIN
112 | 86 ECE ACK RST SYN
113 | 87 ECE ACK RST SYN FIN
114 | 88 ECE ACK PSH
115 | 89 ECE ACK PSH FIN
116 | 90 ECE ACK PSH SYN
117 | 91 ECE ACK PSH SYN FIN
118 | 92 ECE ACK PSH RST
119 | 93 ECE ACK PSH RST FIN
120 | 94 ECE ACK PSH RST SYN
121 | 95 ECE ACK PSH RST SYN FIN
122 | 96 ECE URG
123 | 97 ECE URG FIN
124 | 98 ECE URG SYN
125 | 99 ECE URG SYN FIN
126 | 100 ECE URG RST
127 | 101 ECE URG RST FIN
128 | 102 ECE URG RST SYN
129 | 103 ECE URG RST SYN FIN
130 | 104 ECE URG PSH
131 | 105 ECE URG PSH FIN
132 | 106 ECE URG PSH SYN
133 | 107 ECE URG PSH SYN FIN
134 | 108 ECE URG PSH RST
135 | 109 ECE URG PSH RST FIN
136 | 110 ECE URG PSH RST SYN
137 | 111 ECE URG PSH RST SYN FIN
138 | 112 ECE URG ACK
139 | 113 ECE URG ACK FIN
140 | 114 ECE URG ACK SYN
141 | 115 ECE URG ACK SYN FIN
142 | 116 ECE URG ACK RST
143 | 117 ECE URG ACK RST FIN
144 | 118 ECE URG ACK RST SYN
145 | 119 ECE URG ACK RST SYN FIN
146 | 120 ECE URG ACK PSH
147 | 121 ECE URG ACK PSH FIN
148 | 122 ECE URG ACK PSH SYN
149 | 123 ECE URG ACK PSH SYN FIN
150 | 124 ECE URG ACK PSH RST
151 | 125 ECE URG ACK PSH RST FIN
152 | 126 ECE URG ACK PSH RST SYN
153 | 127 ECE URG ACK PSH RST SYN FIN
154 | 128 CWR
155 | 129 CWR FIN
156 | 130 CWR SYN
157 | 131 CWR SYN FIN
158 | 132 CWR RST
159 | 133 CWR RST FIN
160 | 134 CWR RST SYN
161 | 135 CWR RST SYN FIN
162 | 136 CWR PSH
163 | 137 CWR PSH FIN
164 | 138 CWR PSH SYN
165 | 139 CWR PSH SYN FIN
166 | 140 CWR PSH RST
167 | 141 CWR PSH RST FIN
168 | 142 CWR PSH RST SYN
169 | 143 CWR PSH RST SYN FIN
170 | 144 CWR ACK
171 | 145 CWR ACK FIN
172 | 146 CWR ACK SYN
173 | 147 CWR ACK SYN FIN
174 | 148 CWR ACK RST
175 | 149 CWR ACK RST FIN
176 | 150 CWR ACK RST SYN
177 | 151 CWR ACK RST SYN FIN
178 | 152 CWR ACK PSH
179 | 153 CWR ACK PSH FIN
180 | 154 CWR ACK PSH SYN
181 | 155 CWR ACK PSH SYN FIN
182 | 156 CWR ACK PSH RST
183 | 157 CWR ACK PSH RST FIN
184 | 158 CWR ACK PSH RST SYN
185 | 159 CWR ACK PSH RST SYN FIN
186 | 160 CWR URG
187 | 161 CWR URG FIN
188 | 162 CWR URG SYN
189 | 163 CWR URG SYN FIN
190 | 164 CWR URG RST
191 | 165 CWR URG RST FIN
192 | 166 CWR URG RST SYN
193 | 167 CWR URG RST SYN FIN
194 | 168 CWR URG PSH
195 | 169 CWR URG PSH FIN
196 | 170 CWR URG PSH SYN
197 | 171 CWR URG PSH SYN FIN
198 | 172 CWR URG PSH RST
199 | 173 CWR URG PSH RST FIN
200 | 174 CWR URG PSH RST SYN
201 | 175 CWR URG PSH RST SYN FIN
202 | 176 CWR URG ACK
203 | 177 CWR URG ACK FIN
204 | 178 CWR URG ACK SYN
205 | 179 CWR URG ACK SYN FIN
206 | 180 CWR URG ACK RST
207 | 181 CWR URG ACK RST FIN
208 | 182 CWR URG ACK RST SYN
209 | 183 CWR URG ACK RST SYN FIN
210 | 184 CWR URG ACK PSH
211 | 185 CWR URG ACK PSH FIN
212 | 186 CWR URG ACK PSH SYN
213 | 187 CWR URG ACK PSH SYN FIN
214 | 188 CWR URG ACK PSH RST
215 | 189 CWR URG ACK PSH RST FIN
216 | 190 CWR URG ACK PSH RST SYN
217 | 191 CWR URG ACK PSH RST SYN FIN
218 | 192 CWR ECE
219 | 193 CWR ECE FIN
220 | 194 CWR ECE SYN
221 | 195 CWR ECE SYN FIN
222 | 196 CWR ECE RST
223 | 197 CWR ECE RST FIN
224 | 198 CWR ECE RST SYN
225 | 199 CWR ECE RST SYN FIN
226 | 200 CWR ECE PSH
227 | 201 CWR ECE PSH FIN
228 | 202 CWR ECE PSH SYN
229 | 203 CWR ECE PSH SYN FIN
230 | 204 CWR ECE PSH RST
231 | 205 CWR ECE PSH RST FIN
232 | 206 CWR ECE PSH RST SYN
233 | 207 CWR ECE PSH RST SYN FIN
234 | 208 CWR ECE ACK
235 | 209 CWR ECE ACK FIN
236 | 210 CWR ECE ACK SYN
237 | 211 CWR ECE ACK SYN FIN
238 | 212 CWR ECE ACK RST
239 | 213 CWR ECE ACK RST FIN
240 | 214 CWR ECE ACK RST SYN
241 | 215 CWR ECE ACK RST SYN FIN
242 | 216 CWR ECE ACK PSH
243 | 217 CWR ECE ACK PSH FIN
244 | 218 CWR ECE ACK PSH SYN
245 | 219 CWR ECE ACK PSH SYN FIN
246 | 220 CWR ECE ACK PSH RST
247 | 221 CWR ECE ACK PSH RST FIN
248 | 222 CWR ECE ACK PSH RST SYN
249 | 223 CWR ECE ACK PSH RST SYN FIN
250 | 224 CWR ECE URG
251 | 225 CWR ECE URG FIN
252 | 226 CWR ECE URG SYN
253 | 227 CWR ECE URG SYN FIN
254 | 228 CWR ECE URG RST
255 | 229 CWR ECE URG RST FIN
256 | 230 CWR ECE URG RST SYN
257 | 231 CWR ECE URG RST SYN FIN
258 | 232 CWR ECE URG PSH
259 | 233 CWR ECE URG PSH FIN
260 | 234 CWR ECE URG PSH SYN
261 | 235 CWR ECE URG PSH SYN FIN
262 | 236 CWR ECE URG PSH RST
263 | 237 CWR ECE URG PSH RST FIN
264 | 238 CWR ECE URG PSH RST SYN
265 | 239 CWR ECE URG PSH RST SYN FIN
266 | 240 CWR ECE URG ACK
267 | 241 CWR ECE URG ACK FIN
268 | 242 CWR ECE URG ACK SYN
269 | 243 CWR ECE URG ACK SYN FIN
270 | 244 CWR ECE URG ACK RST
271 | 245 CWR ECE URG ACK RST FIN
272 | 246 CWR ECE URG ACK RST SYN
273 | 247 CWR ECE URG ACK RST SYN FIN
274 | 248 CWR ECE URG ACK PSH
275 | 249 CWR ECE URG ACK PSH FIN
276 | 250 CWR ECE URG ACK PSH SYN
277 | 251 CWR ECE URG ACK PSH SYN FIN
278 | 252 CWR ECE URG ACK PSH RST
279 | 253 CWR ECE URG ACK PSH RST FIN
280 | 254 CWR ECE URG ACK PSH RST SYN
281 | 255 CWR ECE URG ACK PSH RST SYN FIN
282 | ```
283 | 


--------------------------------------------------------------------------------
/netflow_tcpflags.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | from itertools import compress
 3 | 
 4 | """
 5 | NetFlow collectors typically include a decimal value that represents a bitwise-OR
 6 | of the flags that are set in a TCP header across the NetFlow session.
 7 | This script translates between those decimal values and their human-readable
 8 | equivalents, e.g.:
 9 |     19 = ACK SYN FIN
10 | 
11 | References:
12 |     NetFlow v5:
13 |         http://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html#wp1006186
14 |     NetFlow v9:
15 |         https://www.ietf.org/rfc/rfc3954.txt (see section 8)
16 | 
17 |  RFC 3540 defines an experimental ninth TCP flag, "NS", for ECN-nonce
18 |  concealment protection.
19 |  It appears to be rarely if ever used, so we default to excluding it.
20 |  However, the IANA IPFIX entities list standard explicitly lists it, so I include
21 |  an option for it. I don't include any option to decode reserved bits.
22 |  Reference: http://www.iana.org/assignments/ipfix/ipfix.xhtml
23 | """
24 | rfc_3540_flags = ['NS', 'CWR', 'ECE', 'URG', 'ACK', 'PSH', 'RST', 'SYN', 'FIN']
25 | # short versions of flag names:
26 | #rfc_3540_flags = ['N', 'C', 'E', 'U', 'A', 'P', 'R', 'S', 'F']
27 | standard_flags = rfc_3540_flags[1:]
28 | 
29 | def flags_as_list(decimal_flags,tcpflags):
30 |     """ return a list of the bits in the TCP flags field, given the field as decimal"""
31 |     if len(tcpflags) == 8:
32 |         formatter = '{:08b}'
33 |     else:
34 |         formatter = '{:09b}'
35 |     return [int(n) for n in list(formatter.format(decimal_flags))]
36 | 
37 | def flags_dict(tcpflags=standard_flags):
38 |     """ generate a dict of all possible numeric to human-readable flag mappings"""
39 |     flags_dict = {}
40 |     for n in xrange(2**len(tcpflags)+1):
41 |         verbose_flags = [i for i in compress(tcpflags,flags_as_list(n,tcpflags))]
42 |         flags_dict[n] = verbose_flags
43 |     return flags_dict
44 | 
45 | def print_flags(tcpflags=standard_flags):
46 |     """ print the dictionary """
47 |     for k,v in flags_dict(tcpflags).items():
48 |         print k, ' '.join(v)
49 | 
50 | def main():
51 |     parser = argparse.ArgumentParser(description = "NetFlow TCP Flags")
52 |     parser.add_argument('--rfc3540', action = 'store_true',\
53 |                         help='include RFC3540 NS bit options')
54 |     parser.add_argument('--list', '-l', action = 'store',\
55 |                         help='list a single value')
56 |     args = parser.parse_args()
57 |     if args.list:
58 |         if args.rfc3540:
59 |             print ' '.join(flags_dict(tcpflags=rfc_3540_flags)[int(args.list)])
60 |         else:
61 |             print ' '.join(flags_dict()[int(args.list)])
62 |     elif args.rfc3540:
63 |         print_flags(tcpflags=rfc_3540_flags)
64 |     else:
65 |         print_flags()
66 | 
67 | if __name__ == '__main__':
68 |     main()
69 | 


--------------------------------------------------------------------------------