[Internal] Understanding TCP flags in the NSX DFW packet logs
search cancel

[Internal] Understanding TCP flags in the NSX DFW packet logs

book

Article ID: 309070

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • In the /var/log/dfwpktlogs.log file on an ESXi host, or in the Log Insight events, you may see list of packets being dropped that have letters at the end of the log line like:

    8519 INET match DROP domain-c##/1101 IN 125 TCP 10.10.10.11/4002->10.10.10.12/49975 PA
    8519 INET match DROP domain-c##/1101 IN 125 TCP 10.10.10.11/4002->10.10.10.12/49975 PA
    64390 INET match PASS domain-c##/1032 IN 60 TCP 192.168.1.201/47629->192.168.1.205/22 S

Environment

VMware NSX for vSphere 6.4.x

Resolution

The following is a list of TCP flags, and the corresponding letter in the DFW packet log.

Not logged - NS - ECN-nonce concealment protection

W - CWR - Congestion Window Reduced

E - ECE - ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates:

  • If the SYN flag is set (1), that the TCP peer is ECN
  • If the SYN flag is clear (0), that a packet with Congestion Experienced flag set (ECN=11) in IP header received during normal transmission (added to header by RFC 3168). This serves as an indication of network congestion (or impending congestion) to the TCP sender.

U - URG - indicates that the Urgent pointer field is significant.

A - ACK - indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.

P - PSH - Push function. Asks to push the buffered data to the receiving application.

R - RST - Reset the connection.

S - SYN - Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.

F - FIN - Last package from sender.