After setting up nfdump for netflow analysis, I was going through the flow records and got puzzled by flags column. It took some time to understand the concept.
Netflow records contain a field reporting cumulative OR-ed TCP flags seen in the flow. e.g. In a regular TCP connection, a client would sent a SYN, then an ACK, then optional flags like PSH and finally FIN. The table below reports a summary of TCP flags with their binary and decimal values.
Consider two netflow records - a normal TCP connection and closed port
1) Normal TCP connection - If we sum (using OR operator) all the flags used in a TCP connection (SYN(2) + ACK(16) + PSH(8) + FIN(1)), we have 27.
Client-to-server: TCP flags = 2 SYN(2)
Server-to-client: TCP flags = 16 ACK(16)
Client side Optional flags: TCP flags = 8 PSH(8)
Client-to-server: TCP flags = 1 FIN(1)
Cumulative flag value - 2 [SYN(2)] + 16 [ACK(16] + 8 [PSH(8)]+ 1 [FIN(1)]
2) Closed port - Our client would send a SYN packet while server will reply with RST/ACK packet.So, we have two flows:
Client-to-server: TCP flags = 2 (SYN(2))
Server-to-client: TCP flags = 20 (RST(4) + ACK(16))
Good explanation of TCP flags in netflow based on flow-viewer is available here : - https://blog.pierky.com/netflow-weird-tcp-flags-in-flowviewer-and-flow-print/
