https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9560#M693416 <HTML><HEAD></HEAD><BODY><P>Unfortunatelly CCO does not give any information on the flags. You can find some of them only in the documentation of 4.4. It seems they are not important any more.. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Once I opened a case for some connections flags, and got almost all of them:</P><P></P><P> | Flag | Description </P><P> | U | up </P><P> | f | inside FIN </P><P> | F | outside FIN </P><P> | r | inside acknowledged FIN </P><P> | R | outside acknowledged FIN </P><P> | s | awaiting outside SYN </P><P> | S | awaiting inside SYN </P><P> | M | SMTP data </P><P> | H | HTTP get (not used) </P><P> | | SIP connection </P><P> | | SKINNY (not used) </P><P> | I | inbound data </P><P> | O | outbound data </P><P> | q | SQL*Net data </P><P> | n | nailed connection (no supported) </P><P> | d | dump </P><P> | P | inside back connection </P><P> | E | outside back connection </P><P> | G | group </P><P> | p | replicated (unused) </P><P> | a | awaiting outside ACK to SYN </P><P> | A | awaiting inside ACK to SYN </P><P> | B | initial SYN from outside </P><P> | R | RPC </P><P> | H | H.323 </P><P> | | SIP connection </P><P> | | SIP media connection </P><P> | | SIP trans connection </P><P> | D | DNS </P><P></P><P>Best,</P><P></P><P>Attila</P></BODY></HTML> Tue, 24 Jul 2001 15:43:23 GMT subaa 2001-07-24T15:43:23Z https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9557#M693406 <P>Does anyone know how to interpret the output of "show conn" command, specifically the "flags"?</P><P>Here is an example:</P><P>SNIFF# sho conn local 192.168.120.189 net 255.255.255.255</P><P>TCP out 192.168.225.30:80 in 192.168.120.189:1510 idle 0:00:02 Bytes 375 flags U</P><P>O</P><P>TCP out 192.168.225.31:80 in 192.168.120.189:1499 idle 0:00:50 Bytes 1011 flags</P><P>UIO</P><P>TCP out 192.168.225.30:80 in 192.168.120.189:1515 idle 0:00:01 Bytes 1917 flags</P><P>UfFrIO</P><P></P><P>I'd appreciate any feedback on this.</P><P>Thanks.</P><P>Mustafa Hussein</P><P>Comark, Inc.</P> Fri, 21 Feb 2020 05:48:41 GMT https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9557#M693406 mhussein 2020-02-21T05:48:41Z https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9558#M693410 <HTML><HEAD></HEAD><BODY><P>Here&#146;s the breakdown. d=Dump, clean up connection. f=FIN seen in inbound packet. F=FIN seen in outbound packet. H=HTTP get in a UDP connection, H can also mean H.323. I Data in. J=Java applets are not permitted on connection. m=SMTP data. O=Data out. q= SQL*Net data fixup. R=Remote Procedure Call (RPC). r=In use. U=Connection is up. I think some other flags may show up but they are specifically for Cisco engineering if requested during trouble-shooting. </P></BODY></HTML> Thu, 05 Jul 2001 21:58:24 GMT https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9558#M693410 mmellet 2001-07-05T21:58:24Z https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9559#M693415 <HTML><HEAD></HEAD><BODY><P>Where did you find this stuff? (its great!)</P></BODY></HTML> Fri, 06 Jul 2001 17:29:20 GMT https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9559#M693415 millerv 2001-07-06T17:29:20Z https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9560#M693416 <HTML><HEAD></HEAD><BODY><P>Unfortunatelly CCO does not give any information on the flags. You can find some of them only in the documentation of 4.4. It seems they are not important any more.. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Once I opened a case for some connections flags, and got almost all of them:</P><P></P><P> | Flag | Description </P><P> | U | up </P><P> | f | inside FIN </P><P> | F | outside FIN </P><P> | r | inside acknowledged FIN </P><P> | R | outside acknowledged FIN </P><P> | s | awaiting outside SYN </P><P> | S | awaiting inside SYN </P><P> | M | SMTP data </P><P> | H | HTTP get (not used) </P><P> | | SIP connection </P><P> | | SKINNY (not used) </P><P> | I | inbound data </P><P> | O | outbound data </P><P> | q | SQL*Net data </P><P> | n | nailed connection (no supported) </P><P> | d | dump </P><P> | P | inside back connection </P><P> | E | outside back connection </P><P> | G | group </P><P> | p | replicated (unused) </P><P> | a | awaiting outside ACK to SYN </P><P> | A | awaiting inside ACK to SYN </P><P> | B | initial SYN from outside </P><P> | R | RPC </P><P> | H | H.323 </P><P> | | SIP connection </P><P> | | SIP media connection </P><P> | | SIP trans connection </P><P> | D | DNS </P><P></P><P>Best,</P><P></P><P>Attila</P></BODY></HTML> Tue, 24 Jul 2001 15:43:23 GMT https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9560#M693416 subaa 2001-07-24T15:43:23Z https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9561#M693417 <HTML><HEAD></HEAD><BODY><P>many thanks, this goes in the bag of tricks</P></BODY></HTML> Wed, 25 Jul 2001 21:13:03 GMT https://community.cisco.com/t5/network-security/pix-tcp-connection-flags/m-p/9561#M693417 millerv 2001-07-25T21:13:03Z