Tecnowatt - Massimo Sala wrote:
I read RFC, and I understand this about TCP flags: ACK PUSH the packet contain data
If you mean that a packet with ACK and PUSH set will contain data, that's probably true. (I don't know whether any TCP implementations set PUSH on segments not containing data; I have the impression it doesn't make sense to do so.)
ACK the packet is a confirmation
If you mean that a packet with ACK confirms the receipt of previous data, that's true.
If you mean that a packet with ACK but not PUSH confirms the receipt of previous data but doesn't *transmit* any data, that's *not* true - there's no guarantee that a TCP segment containing data has the PUSH flag set. Some implementations might set the PUSH flag on all data segments, but that's not required by RFC 793, and I have seen packets from implementations that don't.
If I want to speed-up the sniffer and minimize the size of the winpcap dump file.
Can I discard TCP packets with
TCP flags = ACK
?
Not if you only want TCP segments with no data discarded - that filter can discard packets with data, too.
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
