THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 4
grahamb's avatar
23.8k
grahamb
updated 2018-11-14 10:56:53 +0000

why does Wireshark flag the retransmission of a single byte fragment as a keep-alive? A true keep-[alive is an ACK with no data, tcp.len==0.

e.g.:

time T  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+1.5000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=10512965  ACK=100003 Win=263520 Len=1
time T+3.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+6.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+12.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
Revision 3
grahamb's avatar
23.8k
grahamb
updated 2018-11-14 10:56:34 +0000

why does Wireshark flag the retransmission of a single byte fragment as a keep-alive? A true keep-[alive is an ACK with no data, tcp.len==0.

e.g.:

time T  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
 time T+1.5000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=10512965  ACK=100003 Win=263520 Len=1
 time T+3.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
 time T+6.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
 time T+12.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
Len=1
Revision 2
grahamb's avatar
23.8k
grahamb
updated 2018-11-14 10:56:09 +0000

why does Wireshark flag the retransmission of a single byte fragment as a keep-alive? A true keep-[alive is an ACK with no data, tcp.len==0.

time T [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+1.5000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=10512965 ACK=100003 Win=263520 Len=1 time T+3.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+6.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+12.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1

Revision 1
SJZK's avatar
1
SJZK
asked 2018-11-13 17:58:09 +0000

why does Wireshark flag the retransmission of a single byte fragment as a keep-alive? A true keep-[alive is an ACK with no data, tcp.len==0.

time T [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+1.5000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=10512965 ACK=100003 Win=263520 Len=1 time T+3.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+6.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1 time T+12.000 [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295 ACK=101003 Win=263520 Len=1