 | 1 | initial version |
Is there any reason to get the NULL length payload from a pcap file and dont get them from another please ?
Perhaps one capture file has zero-length TCP segments and another doesn't.
The initial SYN is probably zero-length, but isn't guaranteed to be zero-length; the same applies to the SYN+ACK response and the ACK response to that in a 3-way handshake - and if your capture doesn't include the initial handshake, you won't see them regardless of whether they are zero-length or not.
If there's sufficient traffic running in both directions, each side's ACK may itself contain data, in which case there won't be zero-length segments during most of the life of the connection.
A FIN segment can also contain data, as can the ACK responding to that FIN, so when one side of the connection is being closed, there might again be no zero-length segments. When the other side of the connection sends its FIN, the ACK to that FIN will be zero-length, because the side sending that ACK has already sent its own FIN, indicating that it has no more data to send. If your capture doesn't include the close of either connection, it won't see that zero-length segment, however.
