Tecnowatt - Massimo Sala wrote:

I read RFC, and I understand this about TCP flags:
ACK PUSH    the packet contain data

If you mean that a packet with ACK and PUSH set will contain data, that's probably true. (I don't know whether any TCP implementations set PUSH on segments not containing data; I have the impression it doesn't make sense to do so.)

ACK the packet is a confirmation

If you mean that a packet with ACK confirms the receipt of previous data, that's true.

If you mean that a packet with ACK but not PUSH confirms the receipt of previous data but doesn't *transmit* any data, that's *not* true - there's no guarantee that a TCP segment containing data has the PUSH flag set. Some implementations might set the PUSH flag on all data segments, but that's not required by RFC 793, and I have seen packets from implementations that don't.

If I want to speed-up the sniffer and minimize the size of the winpcap dump file.
Can I discard TCP packets with
TCP flags = ACK

Not if you only want TCP segments with no data discarded - that filter can discard packets with data, too.

================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/

To unsubscribe use mailto: [EMAIL PROTECTED]

Reply via email to