cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24672
Views
0
Helpful
6
Replies

ASA PACKET CAPTURE (SWE FLAG)

sambillings459
Level 1
Level 1

Hi Experts,

 

I need some help from from you guys.

Today I was doing packet capture on Cisco ASA and during the capture in my logs I saw SWE flag. Can anyone please let me know does it mean

 

I also tried googling it but didn’t get accurate answers.

 

Appreciate any quick response.

6 Replies 6

Ajay Saini
Level 7
Level 7

Hello,

 

Can you please attach a portion of logs/captures where you encountered the SWE flag. You can remove sensitive info as required.

 

Regards,

AJ

24: 09:21:11.405984 1.1.1.1.54116 > 2.2.2.2.9100: SWE 4252812793:4252812793(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
25: 09:21:14.409280 1.1.1.1.54116 > 2.2.2.2.9100: SWE 4252812793:4252812793(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
26: 09:21:17.426094 1.1.1.1.54117 > 2.2.2.2.9100: SWE 2154972116:2154972116(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>
27: 09:21:20.428429 1.1.1.1.54117 > 2.2.2.2.9100: SWE 2154972116:2154972116(0) win 8192 <mss 1420,nop,wscale 8,nop,nop,sackOK,opt-33:210081c4862157070000>

Hello,

 

Please refer to my first response. I found a link that explains the tcp options utilising the SWE flags.

 

Regards,

AJ

Hi there, 

I found similar SWE  Flag when I did packet capture during tshooting. 

Turns out, there is another device after this firewall which is blocking the traffic.

So , it seem from the packet capture example above -- only Syn is sent. 

Syn/Ack is not coming back from the destination host. Thus resulting to a TCP timeout. 

 

Hope this helps ... 

Raj Veeriah

 

Ajay Saini
Level 7
Level 7

Okay, found something and makes sense:

 

https://forums.gentoo.org/viewtopic-t-509973-start-0.html

 

-HTH

AJ

Jesse Mijares
Level 1
Level 1

@sambillings459 SWE es por que tiene SYN+ECN Echo+ECN Cwnd Reducido, por lo que SYN inicial asi utiliza un "paquete SYN de configuración de ECN". Indica que el host que envía el paquete es compatible con ECN.
"E" tiene SYN+ECN Echo establecido; probablemente también tenga configurado ACK (según el campo "ack" en el paquete), por lo que es una respuesta SYN+ACK al SYN inicial, y es, para usar la terminología en la sección 6.1.1 de RFC 3168, un " Paquete SYN-ACK de configuración ECN". Indica que el host que envía el paquete es compatible con ECN.
El ECN tiene la bondad de una notificación de congestión de extremo a extremo entre dos puntos de conexión en redes basadas en TCP/IP.

Review Cisco Networking for a $25 gift card