topic Re: Flags field in csv file in General Topics

Flags field in csv file

hbshin — Thu, 02 Aug 2018 06:50:23 GMT

i have a question about flags in csv log.

do you know what does mean Flags 0x19?

in NTP OR DNS logs, flag is 0x19.

Thanks.

Re: Flags field in csv file

BPry — Thu, 02 Aug 2018 13:48:11 GMT

0x19 is essentially saying "Okay close the socket". Essentially if you send a UDP request and a response comes back, it's likely to have the 0x19 flag so that the return traffic knows "Okay we're done" and that it can close it's side of the connection.

Re: Flags field in csv file

hbshin — Fri, 03 Aug 2018 00:25:20 GMT

Hi BPry.

Thanks for your reply.

Do you know what does 0x19 have to do with AND-ing?

Thanks.

Re: Flags field in csv file

BPry — Fri, 03 Aug 2018 16:31:36 GMT

@hbshin,

I'm not entirely sure what they want you to AND the value with to be honest; AND works like this:

A B =

0 0 0= off

0 1 0= off

1 0 0= off

1 1 1=ON

So essentially unless the binary lines up '1' with '1' you get 0 (or off).

So you would have to convert 0x19 to binary and then convert (I assume) the values that they listed to binary and use AND-ing to combine them. This should give you a binary that once convirted should match one of the listed values? Honestly, not sure.

Re: Flags field in csv file

Remo — Fri, 03 Aug 2018 20:35:26 GMT

Hi @hbshin

I actually don't know what this 0x19 means as this does not matches one of the values in the documentation. Maybe support could tell you more ...

@BPry how or from where do you know what this 0x19 means? Is there somewhere a documentation page that shows more of these values?

Back to the question: this value in the flag column should be ANDed with the values from the documentation: for example the value 0x400019 means there was NAT applied:

10000000000000000011001

10000000000000000000000 (0x00400000 = NAT applied)

= 10000000000000000000000

Re: Flags field in csv file

gwesson — Fri, 03 Aug 2018 21:07:31 GMT

The operation is to apply a bitwise AND operation to the number logged (0x19) with each value from the documentation image posted. If the bitwise AND result is 0, then then the documentation detail is false. If it's 1, then it's true.

0x19 AND 0x00400000 = 0 (no NAT applied)

0x19 by itself doesn't mean anything, it's just a value that can be ANDed to produce a result of zero for each of the types there are.

As @Remo mentions, another set of flags will produce a different result. On my logs, I have NAT enabled, so my logs flags are:

0x400019. When I do a bitwise AND operation on that and 0x00400000 I get a non-zero result, meaning it's "true".

Re: Flags field in csv file

BPry — Sun, 05 Aug 2018 20:22:31 GMT

@Remo,

Flags in my experiance isn't really documented at all in any official Palo Alto documentation.

Re: Flags field in csv file

BPry — Sun, 05 Aug 2018 20:25:21 GMT

That's what I thought but it's good to know we can always count on @gwesson to know all that more technical answers. I don't go playing this far deep in the syslog values often; and you won't see the flag value when you look in the CLI or GUI, pretty much only going to see them looking at the CSV values or the straight Syslog if you forward it to some type of collector.

Re: Flags field in csv file

chells2 — Wed, 17 Oct 2018 20:24:53 GMT

Hi,

I was also looking at this, Can you clarify the query.

Is this anyway related to the TCP control flags like for 0x19 which is in binary 0001 1001, If we relate it to the TCP header options, the packet will have FIN-PSH-ACK bit set.

Similary for 0x53, in binary 0101 0011. This will have FIN-SYN-ACK-ECN bits set.

I didnt run tcpdump or wireshark. but trying to understand it from the firewall logs.