I have a trace showing two packets; both with a TCP Length of 1 byte, both with a payload of 0x00 and both with the ACK flag set. In fact they are identical except for seq no., ack no. and checksum. The Info column shows TCP Segment of a reassembled PDU for the first packet and TCP Keep-Alive for the second packet.
The screenshot above shows the hex dumps of both packets (1 and 8). Why does Wireshark interpret these two packets differently? I believe that they are both Keep-Alives.
Thanks and regards...Paul
asked 29 Jul '15, 14:41
OK - I've just had a bit of a lesson on TCP from a colleague and I now understand the issue.
A TCP Keep-Alive is sent with a Seq No one less than the sequence number the receiver is expecting. Because the receiver has already ACKd the Seq No of the Keep-Alive (because that Seq No was in the range of an earlier segment), it just ACKs it again and discards the segment (packet).
In my trace I haven't captured the previous packets and so Wireshark doesn't know what the next expected sequence number should be, and so it is unable to determine the first packet as a Keep-Alive
answered 30 Jul '15, 03:37