TCP Flags: PSH and URG

The TCP header contains several one-bit boolean fields known as flags used to influence the flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification, there are six TCP control flags.Four of these (SYN, FIN, ACK, RST) are used to control the establishment, maintenance, and tear-down of a TCP connection, and should be familiar to anyone who has performed even basic packet analysis.

The other two flags, PSH (push) and URG (urgent), aren't as well-known. They are the focus of today's article.

    URG - Bypass the queue.
    ACK - Acknowledges received data
    PSH - Asks to push the buffered data to the receiving application
    RST - Aborts a connection in response to an error
    SYN - Initiates a connection
    FIN - Closes a connection


PSH Flag:

The Push flag, like the Urgent flag, exists to ensure that the data is given the priority and is processed at the sending or receiving end. This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends.

The diagram below shows how data is buffered by the sender before sending, and by the receiver upon reception.

Buffers allow for more efficient transfer of data when sending more than one maximum segment size (MSS) worth of data for example, transferring a large file. However, large buffers do more harm than good when dealing with real-time applications which require that data to be transmitted as quickly as possible. Consider what would happen to a Telnet session, for instance, if TCP waited until there was enough data to fill a packet before it would send one: You would have to type over a thousand characters before the first packet would make it to the remote device. Not very useful.

This is where the PSH flag comes in. The socket that TCP makes available at the session level can be written to by the application with the option of "pushing" data out immediately, rather than waiting for additional data to enter the buffer. When this happens, the PSH flag in the outgoing TCP packet is set to 1 (on). Upon receiving a packet with the PSH flag set, the other side of the connection knows to immediately forward the segment up to the application. To summarize, TCP's push capability accomplishes two things:

•     The sending application informs TCP that data should be sent immediately.

•     The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately.

We can see an example of the PSH flag being used in this packet capture of an HTTP GET request. In packet #122, we see that the initial HTTP request has its PSH flag set, indicating that the client has no further data to add and the request should be sent up to the application (in this case, a Web Server) immediately. The server sets the PSH flag on packet #145, which contains the last bytes of the file requested. Again, the PSH flag is used to inform the receiver that the sender has no further data to transmit (for now).

HTTP GET

As mentioned, the PSH flag is also used to facilitate real-time communication via TCP. This packet capture of a short Telnet session shows that all packets carrying Telnet data have the PSH flag set to prevent key presses from being buffered by TCP.

Telnet

URG Flag:


This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

An Urgent Pointer could be used during a stream of data transfer where a host is sending data to an application running on a remote machine. If a problem appears, the host machine needs to abort the data transfer and stop the data processing on the other end. Under normal circumstances, the abort signal will be sent and queued at the remote machine until all previously sent data is processed, however, in this case, we need the abort signal to be processed immediately.

By setting the abort signal's segment Urgent Pointer flag to '1', the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing.

If you're finding it hard to understand, consider this real-life example:

At your local post office, hundreds of trucks are unloading bags of letters from all over the world. Because the amount of trucks entering the post office building are abundant, they line up one behind the other, waiting for their turn to unload their bags.

As a result, the queue ends up being quite long. However, a truck with a big red flag suddenly joins the queue and the security officer, whose job it is to make sure no truck skips the queue, sees the red flag and knows it's carrying very important letters that need to get to their destination urgently. By following the normal procedures, the security officer signals to the truck to skip the queue and go all the way up to the front, giving it priority over the other the trucks.

In this example, the trucks represent the segments that arrive at their destination and are queued in the buffer waiting to be processed, while the truck with the red flag is the segment with the Urgent Pointer flag set.

A further point to note is the existence of theUrgent Pointer field. This field is covered in section 5, but we can briefly mention that when the Urgent Pointer flag is set to '1' (that's the one we are analysing here), then the Urgent Pointer field specifies the position in the segment where urgent data ends.

Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data.

It was surprisingly difficult to find the use of URG flag in real-world captures.

Leave your comment below