Hi, I have a trace showing two packets; both with a TCP Length of 1 byte, both with a payload of 0x00 and both with the ACK flag set. In fact they are identical except for seq no., ack no. and checksum. The Info column shows TCP Segment of a reassembled PDU for the first packet and TCP Keep-Alive for the second packet.
The screenshot above shows the hex dumps of both packets (1 and 8). Why does Wireshark interpret these two packets differently? I believe that they are both Keep-Alives. Thanks and regards...Paul asked 29 Jul '15, 14:41  PaulOfford |
One Answer:
OK - I've just had a bit of a lesson on TCP from a colleague and I now understand the issue. A TCP Keep-Alive is sent with a Seq No one less than the sequence number the receiver is expecting. Because the receiver has already ACKd the Seq No of the Keep-Alive (because that Seq No was in the range of an earlier segment), it just ACKs it again and discards the segment (packet). In my trace I haven't captured the previous packets and so Wireshark doesn't know what the next expected sequence number should be, and so it is unable to determine the first packet as a Keep-Alive Best regards...Paul answered 30 Jul '15, 03:37 PaulOfford Yes it is the answer that I would give you, too. So I think you can accept yourself the answer, so others can learn. (30 Jul '15, 12:30) Christian_R I'll do it for Paul, no problem ;-) (31 Jul '15, 03:01) Jasper ♦♦ |
This is not easy to answer because we need to see the sequence numbers of the packets from the same source before the two packets you posted. Can you upload the (sanitized?) pcap to cloudshark? It's much easier to work with pcaps than with screenshots...
Hi Jasper,
The tracefile is here http://www.tribelabzero.com/download/tds_sql_batch_bug1.pcapng