I am new to packet analysis and Wireshark. I need help in understanding. I will appreciate if someone please enlighten me on what is happening in captured file.
Q. Please refer to packet 64 and 101. They belong to the same TCP stream. Why does Seq # in packet #101 reduce by 1 from packet # 64?
This is because packet 101 is a special type of packet called (as Wireshark tells you) Keep-alive probe.
It's used for testing whether TCP connection is still active and it has Seq N reduced by 1. You've received packet 102 "Keep-alive ACK" successfully, that means indeed TCP-connection is still active. Do not consider it as usual data exchange packet.
See also this question
Thank you for explanation. It cleared my doubt. I was little surprised. I was expecting next sequence number for the 2nd keep-alive request from Client to the Server.
Asked: 2018-01-24 16:46:49 +0000
Seen: 560 times
Last updated: Jan 24 '18
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
