not sure ESTABLISHED TCP traffic will have ACK flag setalways...

seberino at seberino at
Sat Apr 9 08:24:31 CEST 2005

> Thus if I have
> received packets 1234, 1235, 1236, and 1237 from you I would send a packet
> back to you with an ACK of 1238 statin gthat I'm expecting your next
> sequence number to be 1238 effectively ACKing all packets up to and
> including 1237.


Thanks for your reply.  I did not know you could ACK multiple sequence
numbers with a single ACK.  That really helps.   You obviously
have a deep knowledge of TCP.

I am still confused why anyone could believe that packets //without//
the ACK flag set are suspicious.  Going back to your scenario above,
there is a faster side blasting packets (1234, 1235, 1236, 1237...)
faster than the other side is sending packets.  Clearly the
faster side cannot set the ACK bit in all those packets
(1234, 1235, 1236, 1237...) on because the fast side has fewer
incoming packets to acknowledge right?


More information about the netfilter mailing list