On Nov 16, 2006, at 3:13 PM, ronnie sahlberg wrote:
wireshark uses heuristics to determine if something is a keepalive
or not:
It assumes it is a keepalive IF
the left edge decreases by one (sequence number 1 smaller than the
next expected one)
the segment contains exactly 0 or 1 bytes of payload data
/* KEEP ALIVE
* a keepalive contains 0 or 1 bytes of data and starts one byte
prior
* to what should be the next sequence number.
* SYN/FIN/RST segments are never keepalives
*/
As RFC 1122 says in 4.2.3.6 "TCP Keep-Alives":
Some TCP implementations, however, have included a keep-alive
mechanism. To confirm that an idle connection is still active, these
implementations send a probe segment designed to elicit a response
from the peer TCP. Such a segment generally contains SEG.SEQ =
SND.NXT-1 and may or may not contain one garbage octet of data. Note
that on a quiet connection SND.NXT = RCV.NXT, so that this SEG.SEQ
will be outside the window. Therefore, the probe causes the receiver
to return an acknowledgment segment, confirming that the connection is
still live. If the peer has dropped the connection due to a network
partition or a crash, it will respond with a RST instead of an
acknowledgment segment.
