I have written a custom protocol realtime sniffer & decoder.

I read RFC, and I understand this about TCP flags:
ACK PUSH    the packet contain data
ACK         the packet is a confirmation
other        depending on the flags

If I want to speed-up the sniffer and minimize the size of the winpcap dump file.
Can I discard TCP packets with
TCP flags = ACK

Is it a good idea ?

Is this a right BPfilter expression build on this idea ?

multicast or icmp or (port 80 && (tcpflags!=tcp-ack))

ciao, Massimo

This is the WinPcap users list. It is archived at

To unsubscribe use mailto: [EMAIL PROTECTED]

Reply via email to