i am capturing packets using wireshark and almost all of them contain the [ack] flag ..i don't know how to differentiate between data packets and tcp acknowledgement packets when all of them carry the flag [ack],so any help ?! asked 03 May '15, 15:55 yas1234 |
One Answer:
Every packet except the initial SYN packet has the ACK flag set. That's normal. If you're looking for packets acknowledging data without carrying data themselves just look for packets that have a TCP payload length of zero. You can filter for those by using "tcp.len==0". answered 03 May '15, 16:12 Jasper ♦♦ |
thank you so much it's clear now !
@yas1234: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).
okay but if i have a packet carrying data AND ack ..how do i know that this packet contains acknowledgement if the payload is not equal to zero, i mean then i will know it's a data pkt not data+ack
every packet except the first SYN packet has the ACK flag. So there is no data packet without ACk.