This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

keep alive packets at the end of the session

0

Hi, I have captured a TCP session which has TCP keep alive packet at the end. machine A has sent the keep alive packet to machine B and machine B has acknowledged this keep alive packet. But there is no communication after that between them. Does this mean the connection is still open between the two machines? If connection is closed then how to decide when the connection is closed between them?

The TCP session I captured looks like this: link text

Thanks in advance.

asked 23 Sep '13, 03:21

Swamy's gravatar image

Swamy
16225
accept rate: 0%


One Answer:

1

Yes, the connection is still open between the machines in your capture. Usually, one of the two machines will terminate the session after a global timeout is reached, but sometimes you'll see Keep-Alives for long long times, e.g. for SSH sessions.

The closing of the connection will be performed either gracefully (using FIN flags) or brutally (using a Reset flag). Unless you see then, the connection is still alive.

answered 23 Sep '13, 05:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

One more clarification though. The Dump file i have has similar kind of TCP sessions and none of them are closed like the dump file i have attached. So according to you all the connections are still opened.One or two sessions like that i would understand that connection is still opened but i have around 25-30 sessions like that.what might be the reason for that?

(23 Sep '13, 05:56) Swamy

Usually a connection is terminated with a Reset flag if the application shuts down that has used the port. So if the application on both ends is still alive, the connection can stay open for a long time.

E.g users often start database applications in the morning and keep them open even while not using them for hours, so the TCP connection stays open, too. In those cases Keep Alives are very useful to prevent session termination by a Firewall or ACL, but if there aren't such devices in the network the connection doesn't even have to use Keep Alives to keep going.

(23 Sep '13, 06:07) Jasper ♦♦