TCP flags are used to indicate a particular state during a conversation. Some are commonly seen, such as ACK, FIN, and SYN; however, some are rarely seen in practical applications. TCP has eight (8) control flags, as shown here:
| Control flag | Bits | Function |
| Reserved | 3 | The Reserved flag is for future use and should be set to zero. |
| Nonce | 1 | Nonce is experimental—possibly use with ECN. |
| CWR | 1 | Congestion Window Reduced when set indicates that the sender is responding to indications of network congestion with congestion avoidance. |
| ECE | 1 | The Explicit Congestion Notification Echo Explicit Congestion Notification (ECN) will notify the endpoints of any network congestion to avoid dropping packets. Both endpoints must be ECN capable in order for ECN to work. If this flag is set, this means the endpoint is ECN capable. |
| URG | 1 | Urgent indicates a packet that should have priority. Rarely seen. |
| ACK | 1 | Acknowledgment acknowledges that the data was received and that the client is ready to accept more. All packets after the initial SYN packet sent by the client should have this flag set. |
| PSH | 1 | Normally, a buffer will hold data until it has a decent-sized packet to send. Push informs TCP that data should be sent immediately and not wait until the buffer is full. |
| RST | 1 | When set, the sender and receiver will abort the TCP connection. A Reset can happen for a number of reasons; many times, it is used to close an abnormal or malicious connection. |
| SYN | 1 | Synchronization synchronizes the sequence numbers. Only the first two packets of the handshake will have this flag set. |
| FIN | 1 | Finish means the communication has ended and there is no more data—close the connection. |
The TCP flags, when set, will tell the story of the TCP connection. Wireshark will reflect this state in the Info column of the packet list pane:
TCP is widely used, and the flags are important to control each session. However, TCP flags can be used in a malicious way to launch an attack or evade detection. As a result, the security analyst should make sure devices are tuned to monitor for non-standard and inappropriate use of TCP flags.
As we can see, the TCP flags provide an indication of what is happening during a conversation. It's important to keep the data moving. As we'll see in the following section., the window size is used to notify the sender about just how much data that a host can receive at any given time.