This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to know if the packet is acknowledgement packet or not

0

i am capturing packets using wireshark and almost all of them contain the [ack] flag ..i don't know how to differentiate between data packets and tcp acknowledgement packets when all of them carry the flag [ack],so any help ?!

asked 03 May '15, 15:55

yas1234's gravatar image

yas1234
16182023
accept rate: 0%


One Answer:

1

Every packet except the initial SYN packet has the ACK flag set. That's normal. If you're looking for packets acknowledging data without carrying data themselves just look for packets that have a TCP payload length of zero. You can filter for those by using "tcp.len==0".

answered 03 May '15, 16:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you so much it's clear now !

(04 May '15, 02:20) yas1234

@yas1234: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(04 May '15, 08:39) Kurt Knochner ♦

okay but if i have a packet carrying data AND ack ..how do i know that this packet contains acknowledgement if the payload is not equal to zero, i mean then i will know it's a data pkt not data+ack

(06 May '15, 06:06) yas1234

every packet except the first SYN packet has the ACK flag. So there is no data packet without ACk.

(06 May '15, 09:03) Jasper ♦♦