Packet Capture – Understanding TCP Headers and Packet Filtering

The Transmission Control Protocol (TCP) is one of the fundamental protocols that power the Internet. It provides reliable, ordered, and error-checked data delivery between applications running on hosts communicating via an IP network. One essential aspect of TCP is its use of headers to carry a connection’s control and state information. Among these headers, the 13th byte, also known as the ‘flags‘ byte, is one of the most commonly used, especially concerning packet filtering. In this post, we’ll explore the composition of TCP headers and focus mainly on the use of the 13th byte.

Breaking Down the TCP Header

A standard TCP header is 20 bytes long, and each byte or group of bytes has a specific purpose. Let’s take a look:

Bytes 1-2: Source Port – The source port number of the connection.
Bytes 3-4: Destination Port – The destination port number.
Bytes 5-8: Sequence Number – The number assigned to the first byte of data in the current message.
Bytes 9-12: Acknowledgment Number – Specifies the next sequence number that the sender of the acknowledgment expects to receive. This field is only valid when the ACK flag is set.
Bytes 13-14: Several smaller fields are contained within these bytes, including the Data Offset (Header Length), Reserved bits, NS flag, and CWR and ECE flags used for Explicit Congestion Notification (ECN).
Byte 13: Flags – Contains control flags for TCP, which we will elaborate on later.
Bytes 14-15: Window Size – Specifies the sender’s receive window size.
Bytes 16-17: Checksum – Used for error-checking of the header and data.
Bytes 18-19: Urgent Pointer – If the URG flag is set, this field is an offset from the sequence number indicating the last urgent data byte.
Bytes 20-..: Options and Padding – This field is optional and of variable length. It is used for various TCP options.

The 13th Byte: TCP Flags

The 13th byte in the TCP header holds the TCP flags, each represented as a bit within this byte. These flags are crucial in managing the state of a TCP connection. Here are some common flags:

SYN (Synchronize): Initiates a connection.
ACK (Acknowledgement): Acknowledges the receipt of a packet.
FIN (Finish): Indicates the end of data transmission.
RST (Reset): Aborts a connection in response to an error.
PSH (Push): Suggests that the receiver should pass this data to the application as soon as possible.
URG (Urgent): Indicates that certain data within a packet should be processed urgently.

Tools like Wireshark and Cisco’s ethanalyzer use these flags for packet filtering. For example, using ethanalyzer on a Cisco Nexus switch, you could filter TCP packets where the SYN flag is set with the following command:

ethanalyzer local interface inband capture-filter "tcp[13] & 2 != 0"


While the 13th byte of the TCP header (the flags byte) is often used for filtering packets, many other fields in the TCP header also serve critical functions. Network professionals can better troubleshoot, optimize, and secure their networks by understanding these fields and the information they convey. Remember, TCP headers are more than just a bunch of bytes; they’re the foundation of the reliable data communication that drives the Internet.