How to differentiate SYN packet from monitoring traffic and actual application traffic ?

Hi All,

 

I am trying to investigate a monitor flap issue.

 

Monitor used is tcp_half_open

 

SNAT automap is being used on VS.

 

Packet capture during issue is around 200 MB.

 

Checking the capture file i see lot of SYN packets, is there any way i can identify the specific monitoring traffic ?