TCP flag analysis TCP flag URG: this flag indicates that the emergency pointer domain of the TCP packet (which will be mentioned later) is valid to ensure that the TCP connection is not interrupted, and urge the Middle-layer device to process the data as soon as possible. ACK: This indicates that the response domain is valid, that is, the TCP response number mentioned above will be included in the TCP packet; there are two values: 0 and 1. If it is 1, the response domain is valid, and the reverse is 0. PSH: this flag bit indicates the Push operation. The Push operation means to send the data packet to the application immediately after it reaches the receiving end, rather than queuing in the buffer zone. RST: indicates the Connection reset request. It is used to reset connections that generate errors, and is also used to reject errors and invalid data packets. SYN: indicates the synchronization sequence number and is used to establish a connection. SYN flag and ACK flag are used together. when a connection request is sent, SYN = 1, ACK = 0; when the connection is matched, SYN = 1, ACK = 1; packets with this flag are often used for port scanning. The scanner sends a SYN-only data packet. If the recipient's host responds to a data packet, it indicates that the host has this port. However, this scan method only performs the first handshake of three TCP handshakes, therefore, the success of this scan indicates that the machine to be scanned is not safe. A secure host will force a TCP three-way handshake with a strict connection; FIN: it indicates that the sender has reached the end of the data, that is to say, the data is transferred by both parties, and no data can be transferred. After the TCP packet of the FIN flag is sent, the connection will be disconnected. Packets with this flag are often used for port scanning. When a TCP packet with the FIN flag is sent to a specific port of a computer, if the computer responds to the data and returns a TCP packet with the RST flag, this indicates that the computer did not open this port, but this computer exists. If this computer does not return any data packets, this indicates that the computer being scanned has this port. It should be noted that Kingsoft's log reports use not the full names of these signs, but the first letter of these signs, for example, blocking a TCP packet containing the FIN flag will report x. x. x. x TCP packet: F. Another point is that your log may report the TCP packet x. x. x: NULL. What is this? NULL indicates that the packet sent to you does not contain any flag. When you receive this packet, it often means that you are being scanned and the scanner sends you a NULL packet, if your computer sends back a TCP packet with the FIN flag, it indicates that the port it detects does not exist on your computer, but your computer has been confirmed to exist, in this way, he can use other scanning methods for port detection. There are some special scanning methods that can bypass the less rigorous firewall. After understanding the meaning of the TCP flag, you can understand how TCP performs the three-way handshake: the sender sends a packet with SYN = 1, ACK = 0 to the receiver, this is the first handshake between requests. If the receiving end receives the request and allows the connection, it will send a packet with SYN = 1, ACK = 1 to the sending end and tell it, the sender can send a confirmation packet, which is the second handshake. Finally, the sender sends a SYN = 0, ACK = 1 packet to the receiver, tell it that the connection has been confirmed. This is the third handshake. Then, a TCP connection is established to Start Communication.