This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark TCP Keep-Alive detection

0

Hi,

I have a trace showing two packets; both with a TCP Length of 1 byte, both with a payload of 0x00 and both with the ACK flag set. In fact they are identical except for seq no., ack no. and checksum. The Info column shows TCP Segment of a reassembled PDU for the first packet and TCP Keep-Alive for the second packet.

alt text

The screenshot above shows the hex dumps of both packets (1 and 8). Why does Wireshark interpret these two packets differently? I believe that they are both Keep-Alives.

Thanks and regards...Paul

asked 29 Jul '15, 14:41

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

This is not easy to answer because we need to see the sequence numbers of the packets from the same source before the two packets you posted. Can you upload the (sanitized?) pcap to cloudshark? It's much easier to work with pcaps than with screenshots...

(29 Jul '15, 14:46) Jasper ♦♦
(29 Jul '15, 23:29) PaulOfford

One Answer:

0

OK - I've just had a bit of a lesson on TCP from a colleague and I now understand the issue.

A TCP Keep-Alive is sent with a Seq No one less than the sequence number the receiver is expecting. Because the receiver has already ACKd the Seq No of the Keep-Alive (because that Seq No was in the range of an earlier segment), it just ACKs it again and discards the segment (packet).

In my trace I haven't captured the previous packets and so Wireshark doesn't know what the next expected sequence number should be, and so it is unable to determine the first packet as a Keep-Alive

Best regards...Paul

answered 30 Jul '15, 03:37

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

Yes it is the answer that I would give you, too.

So I think you can accept yourself the answer, so others can learn.

(30 Jul '15, 12:30) Christian_R

I'll do it for Paul, no problem ;-)

(31 Jul '15, 03:01) Jasper ♦♦