Hi * he@xxxxxxxx wrote: > Thomas Graf wrote: > >now, cause almost all packets have the ACK bit set this rule > >matches all small packets with no ip options. it could be > >done better with nexthdr to match packets with ip options > >set too. > > Wouldn't it also be necessary to match the packets with ACK set + Data > or aren't they as much important as the packets we are already matching? Read about biggy packing, most ACKs are sent within a data packet to avoid too much overhead, further all data packets in a transaction have the ACK bit set. You might want to look for a more practical explanation about TCP than most books provide. To quote myself: now, cause almost all packets have the ACK bit set this rule matches all small packets with no ip options. I never tested if this rule actually improves anything, if you do please let me know. I think it really depens on what kind of protocols you use and the average use of your line. The match for 5 WORDS ip header len is not really needed because you could match the ACK bit with help of the nexthdr feature w/o taking care of possible ip options. Hope that helps. -- Thomas Graf
