This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does WireShark figure out whether it’s keep-alive ack or window update??

0

A tcp keep-alive ack packet is transmitted after a tcp keep-alive packet is received. WireShark usually analyzes and indicates both packets correctly. For example, #428 and #429. However, I guess sometimes WireShark's analysis regards a keep-alive ack packet as a window update packet. For example, look at #2286 which is supposed to be a keep-alive ack packet.

428  1404.64744  A.ip  B.ip  TCP  68  **[TCP Keep-Alive]** swtp-port2 > 44103 [ACK] Seq=1821 Ack=1261 Win=18 Len=0 TSval=2238040615 TSecr=9119404

429 1404.64761 B.ip A.ip TCP 68 [TCP Keep-Alive ACK] 44103 > swtp-port2 [ACK] Seq=1261 Ack=1822 Win=308 Len=0 TSval=9209541 TSecr=2237140547

2285 2304.82955 A.ip B.ip TCP 52 [TCP Keep-Alive] swtp-port2 > 65000 [ACK] Seq=1392 Ack=893 Win=8192 Len=0 TSval=589947877 TSecr=495405251

2286 2304.83016 B.ip A.ip TCP 52 [TCP Window Update] 65000 > swtp-port2 [ACK] Seq=893 Ack=1393 Win=131072 Len=0 TSval=496304961 TSecr=589047846

So, does anyone know how WireShark figues out a packet is TCP Keep-Alive ACK or TCP Window Update? or any difference between those two??? Thank you.

asked 25 Jun ‘13, 22:53

JackBox's gravatar image

JackBox
11112
accept rate: 0%


One Answer:

0

Your quote is missing a vital information, and that is the packet coming from B.ip of the second conversation before the packet with the Window Update. A Window Update is diagnosed when a TCP packet arrives that has the same sequence number as the last packet and it's only new information is a different window size than the previous packet did. Maybe that packet is also a keep alive ack, but I think only one expert message is shown per info row.

answered 26 Jun '13, 01:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%