Ask Your Question
0

why does Wireshark flag the retransmission of a single byte fragment as a keep-alive? A true keep-[alive is an ACK with no data, tcp.len==0.

asked 2018-11-13 17:58:09 +0000

SJZK gravatar image

updated 2018-11-14 10:56:53 +0000

grahamb gravatar image

e.g.:

time T  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+1.5000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=10512965  ACK=100003 Win=263520 Len=1
time T+3.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+6.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
time T+12.000  [TCP Keep-Alive] srcport -> dstport [PSH,ACK] Seq=1051295  ACK=101003 Win=263520 Len=1
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-11-13 19:39:04 +0000

Jaap gravatar image

It may contain a garbage octet, see RFC1122:

"An implementation SHOULD send a keep-alive segment with no data; however, it MAY be configurable to send a keep-alive segment containing one garbage octet, for compatibility with erroneous TCP implementations."

edit flag offensive delete link more

Comments

Unfortunately, the 1 byte in the "keep-alive"s is the actual 1 byte fragment, and the keep-alives are really retransmissions. The one byte fragment isn't ACK'd by the receiver until 22 seconds later. Since the word MAY is invoked, it would be more accurate to flag them as a retransmission, possible keep-alive instead of keep-alive, possible retransmission.

SJZK gravatar imageSJZK ( 2018-11-13 20:56:31 +0000 )edit

The sequence numbers should make the distinction possible, I assume, but I would have to look at a complete trace more carefully.

Jaap gravatar imageJaap ( 2018-11-14 06:57:51 +0000 )edit

Can you provide us the whole trace? https://blog.packet-foo.com/2016/11/t...

Christian_R gravatar imageChristian_R ( 2018-11-14 11:53:48 +0000 )edit

can't provide the actual trace, but here is a summary of the packets of interest:

Time Delta-Time Info Len Segment Seq# NextSeq# ACK#
17:24:42.819 0 Request, Data 1458 1400 3561752 3563152 335954 17:24:42.819 0 [PSH, ACK] 60 1 3563152 3563153 335954 17:24:44.251 1.43 [TCP Keep-Alive] 60 1 3563152 3563153 335954 17:24:47.253 3.00 [TCP Keep-Alive] 60 1 3563152 3563153 335954 17:24:53.253 6.00 [TCP Keep-Alive] 60 1 3563152 3563153 335954 17:25:05.261 12.00 [TCP Keep-Alive] 60 1 3563152 3563153 335954

SJZK gravatar imageSJZK ( 2018-11-14 15:17:03 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-11-13 17:58:09 +0000

Seen: 722 times

Last updated: Nov 14 '18

Related questions

TCP keep-alive ack and finally reset when query Database using TDS Protocol

NO-OP Ethernet Packet - Kind of Keep-Alive

What are those TCP Keep Alives

Keep-Alive Packets after FIN

TCP Keep-Alive on Linux - 10 seconds

keep-alive response time

Is TCP Keep-Alive triggered by OTHER THAN default time interval?