cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2140
Views
0
Helpful
4
Replies

PIX TCP connection flags

mhussein
Enthusiast
Enthusiast

Does anyone know how to interpret the output of "show conn" command, specifically the "flags"?

Here is an example:

SNIFF# sho conn local 192.168.120.189 net 255.255.255.255

TCP out 192.168.225.30:80 in 192.168.120.189:1510 idle 0:00:02 Bytes 375 flags U

O

TCP out 192.168.225.31:80 in 192.168.120.189:1499 idle 0:00:50 Bytes 1011 flags

UIO

TCP out 192.168.225.30:80 in 192.168.120.189:1515 idle 0:00:01 Bytes 1917 flags

UfFrIO

I'd appreciate any feedback on this.

Thanks.

Mustafa Hussein

Comark, Inc.

4 Replies 4

mmellet
Participant
Participant

Here’s the breakdown. d=Dump, clean up connection. f=FIN seen in inbound packet. F=FIN seen in outbound packet. H=HTTP get in a UDP connection, H can also mean H.323. I Data in. J=Java applets are not permitted on connection. m=SMTP data. O=Data out. q= SQL*Net data fixup. R=Remote Procedure Call (RPC). r=In use. U=Connection is up. I think some other flags may show up but they are specifically for Cisco engineering if requested during trouble-shooting.

Where did you find this stuff? (its great!)

Unfortunatelly CCO does not give any information on the flags. You can find some of them only in the documentation of 4.4. It seems they are not important any more.. :)

Once I opened a case for some connections flags, and got almost all of them:

| Flag | Description

| U | up

| f | inside FIN

| F | outside FIN

| r | inside acknowledged FIN

| R | outside acknowledged FIN

| s | awaiting outside SYN

| S | awaiting inside SYN

| M | SMTP data

| H | HTTP get (not used)

| | SIP connection

| | SKINNY (not used)

| I | inbound data

| O | outbound data

| q | SQL*Net data

| n | nailed connection (no supported)

| d | dump

| P | inside back connection

| E | outside back connection

| G | group

| p | replicated (unused)

| a | awaiting outside ACK to SYN

| A | awaiting inside ACK to SYN

| B | initial SYN from outside

| R | RPC

| H | H.323

| | SIP connection

| | SIP media connection

| | SIP trans connection

| D | DNS

Best,

Attila

many thanks, this goes in the bag of tricks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers