What does TCP packet [P.] flag means in tcpdump's output?

tcp tcpdump

19,349

What exactly this [P.] Flag

It is a PUSH flag.

Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set.

Source Manpage of TCPDUMP

The purpose of push function and the PUSH flag is to push data through from the sending user to the receiving user. It does not provide a record service.

There is a coupling between the push function and the use of buffers of data that cross the TCP/user interface. Each time a PUSH flag is associated with data placed into the receiving user's buffer, the buffer is returned to the user for processing even if the buffer is not filled. If data arrives that fills the user's buffer before a PUSH is seen, the data is passed to the user in buffer size units.

Source [PSH,ACK] wireshark capture - Wireshark Q&A

PSH and the PUSH function

When you send data, your TCP buffers it. So if you send a character it won't send it immediately but wait to see if you've got more. But maybe you want it to go straight on the wire: this is where the PUSH function comes in. If you PUSH data your TCP will immediately create a segment (or a few segments) and push them.

But the story doesn't stop here. When the peer TCP receives the data, it will naturally buffer them it won't disturb the application for each and every byte. Here's where the PSH flag kicks in. If a receiving TCP sees the PSH flag it will immediately push the data to the application.

There's no API to set the PSH flag. Typically it is set by the kernel when it empties the buffer. From TCP/IP Illustrated:

This flag is conventionally used to indicate that the buffer at the side sending the packet has been emptied in conjunction with sending the packet. In other words, when the packet with the PSH bit field set left the sender, the sender had no more data to send.

But be aware Stevens also says:

Push (the receiver should pass this data to the application as soon as possible—not reliably implemented or used)

Source Difference between push and urgent flags in TCP, answer by cnicutar

19,349

ccsann

do like: johann sebastian bach some mozart's works berliner philharmoniker relaxing jazz, baroque and irish flute, emmanuel pahud and jethro tull diablo 2 - soundtrack to listen .mp3 files of pop-music on an audio-system instead of watching video-clips. music is more to listen then to watch. don't like: capital letters

Updated on September 18, 2022

Comments

ccsann almost 2 years

If an IP x.x.x.x connects to IP z.z.z.z using [P.] Flag for TCP packet what exactly this [P.] flag means? Does it means that x.x.x.x sends some data to z.z.z.z?
Admin almost 2 years

However in practice all TCP implementations ignore the PUSH flag completely and behave as though it is always set. It is an anachronism that can be ignored.