On Thu, Nov 16, 2006 at 07:41:41AM -0800, imfaus wrote:
> From parsing through the documentation, I did'nt see any explanation
> on keep-alives or how wire shark knows the TCP packet is in fact a
> "keep-alive" packet. I have a particular capture and I am lead to
> believe that there might be some keepalives, but I was curious. Does
> the tool look for a payload of 1 (in the TCP header) and a sequence
> number that is nonincrementing to determine if in fact the packet is a
> keep-alive packet?
I'm not sure how the keep-alives are detected without looking at the
code. TCP Keepalives show up in the Info column and can be seen by
using this display filter: tcp.analysis.keep_alive
Steve