Some problematic scenarios (mostly attacks) are:
- tcp[13] & 0x00 = 0: No flags set (null scan)
- tcp[13] & 0x01 = 1: fin set and ack not set
- tcp[13] & 0x03 = 3: syn set and fin set
- tcp[13] & 0x05 = 5: rst set and fin set
- tcp[13] & 0x06 = 6: syn set and rst set
- tcp[13] & 0x08 = 8: psh set and ack not set
In the following diagram, you can see how it works. tcp[13] is the number of bytes from the beginning of the protocol header, when the values 0, 1, 3, 5, 6, and 8 refer to the flag locations:
