Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22763
Views
0
Helpful
6
Replies

ASA PACKET CAPTURE (SWE FLAG)

sambillings459
Level 1
Level 1

‎01-06-2018 09:28 PM - edited ‎02-21-2020 07:05 AM

Hi Experts,

 

I need some help from from you guys.

Today I was doing packet capture on Cisco ASA and during the capture in my logs I saw SWE flag. Can anyone please let me know does it mean

 

I also tried googling it but didn’t get accurate answers.

 

Appreciate any quick response.

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Ajay Saini
Level 7
Level 7

‎01-06-2018 11:23 PM

Hello,

 

Can you please attach a portion of logs/captures where you encountered the SWE flag. You can remove sensitive info as required.

 

Regards,

AJ

0 Helpful

sambillings459
Level 1
Level 1
In response to Ajay Saini

‎01-08-2018 06:11 AM

24: 09:21:11.405984 1.1.1.1.54116 > 2.2.2.2.9100: SWE 4252812793:4252812793(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
25: 09:21:14.409280 1.1.1.1.54116 > 2.2.2.2.9100: SWE 4252812793:4252812793(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
26: 09:21:17.426094 1.1.1.1.54117 > 2.2.2.2.9100: SWE 2154972116:2154972116(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
27: 09:21:20.428429 1.1.1.1.54117 > 2.2.2.2.9100: SWE 2154972116:2154972116(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
0 Helpful

Ajay Saini
Level 7
Level 7
In response to sambillings459

‎01-09-2018 04:58 AM

Hello,

 

Please refer to my first response. I found a link that explains the tcp options utilising the SWE flags.

 

Regards,

AJ

0 Helpful

Rajavethan Veeriah
Level 1
Level 1
In response to sambillings459

‎12-02-2020 07:16 PM

Hi there, 

I found similar SWE  Flag when I did packet capture during tshooting. 

Turns out, there is another device after this firewall which is blocking the traffic.

So , it seem from the packet capture example above -- only Syn is sent. 

Syn/Ack is not coming back from the destination host. Thus resulting to a TCP timeout. 

 

Hope this helps ... 

Raj Veeriah

 

0 Helpful

Ajay Saini
Level 7
Level 7

‎01-08-2018 12:03 AM

Okay, found something and makes sense:

 

https://forums.gentoo.org/viewtopic-t-509973-start-0.html

 

-HTH

AJ

0 Helpful

Jesse Mijares
Level 1
Level 1

‎09-21-2022 07:36 AM

@sambillings459 SWE es por que tiene SYN+ECN Echo+ECN Cwnd Reducido, por lo que SYN inicial asi utiliza un "paquete SYN de configuración de ECN". Indica que el host que envía el paquete es compatible con ECN.
"E" tiene SYN+ECN Echo establecido; probablemente también tenga configurado ACK (según el campo "ack" en el paquete), por lo que es una respuesta SYN+ACK al SYN inicial, y es, para usar la terminología en la sección 6.1.1 de RFC 3168, un " Paquete SYN-ACK de configuración ECN". Indica que el host que envía el paquete es compatible con ECN.
El ECN tiene la bondad de una notificación de congestión de extremo a extremo entre dos puntos de conexión en redes basadas en TCP/IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card