Wireshark-users: Re: [Wireshark-users] TCP keep -alives

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Fri, 17 Nov 2006 10:13:19 +1100
wireshark uses heuristics to determine if something is a keepalive or not:


It assumes it is a keepalive IF
the left edge decreases by one   (sequence number 1 smaller than the next expected one)
the segment contains exactly 0 or 1 bytes of payload data



/* KEEP ALIVE
* a keepalive contains 0 or 1 bytes of data and starts one byte prior
* to what should be the next sequence number.
* SYN/FIN/RST segments are never keepalives
*/


On 11/17/06, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
On Thu, Nov 16, 2006 at 07:41:41AM -0800, imfaus wrote:

> From parsing through the documentation, I did'nt see any explanation
> on keep-alives or how wire shark knows the TCP packet is in fact a
> "keep-alive" packet. I have a particular capture and I am lead to
> believe that there might be some keepalives, but I was curious. Does
> the tool look for a payload of 1 (in the TCP header) and a sequence
> number that is nonincrementing to determine if in fact the packet is a
> keep-alive packet?

I'm not sure how the keep-alives are detected without looking at the
code.  TCP Keepalives show up in the Info column and can be seen by
using this display filter: tcp.analysis.keep_alive


Steve

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users