ACC vs CON in TCP

Carter Bullard carter at qosient.com
Wed Mar 25 10:51:48 EDT 2015 

Hey John,
The ACC is “Accepted”, there was a response for the TCP SYN request.
CON means that the TCP is “Connected”, SYN -> SYN_ACK -> ACK.

The existing code 3.0.8 doesn’t use ‘EST’, I believe that it was
confusing for others as well.  We used EST and CON in 2.x and in 3.0.2
to distinguish EST (syn, synack, ack) from data transfer.  We changed
that to deal with asymmetric flows and when there is high loss rates,
as you may see data transfer (CON) without seeing all the establishment
packets (EST).  With the inclusion of ‘appbytes’ we know exactly if
there was data transfer, so the differences kinda went away.
We include all the labels in the man pages for continuity.

When you use the -z option, the printed status has
slightly more information, and of course you can print
either sides accumulated tcpflags with -Z get the PUSH,
URG, ECE and CWR flags if they existed.

So to break down the TCP State machine indicators:
                                       -z
  Initiator sends SYN         -  REQ   ’s'
  Responder sends SYN_ACK     -  ACC   ’S'
  Responder rejects           -  RST   ‘R'

  Initiator sends ACK         -  CON   ‘E'
  Initiator sends data        -  CON   ‘E'

  Timed Out                   -  TIM
  Either party sends FIN      -  FIN   ‘f'
  Either party sends FIN_ACK  -  FIN   ‘F'
  Both parties ACK            -  CLO   ‘C'



Carter



> On Mar 24, 2015, at 11:04 PM, John T. Myers <myersj0 at gmail.com> wrote:
> 
> Hi,
> 
> I had a question about the difference between ACC and CON, for TCP connections.
> 
> ACC appears less frequently, does this basically indicate that the TCP sessions is mid-handshake? The manual reads that "a connection request has been answered" but does not imply the connection is fully built up.
> 
> Also, I have yet to see an EST flag for TCP connections, only CON. Can I assume they essentially mean the same thing?
> 
> Thanks!
> John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150325/4d72004b/attachment.sig>

More information about the argus mailing list