'How can I figure out if a packet is a TCP Keep-Alive?

Wireshark and Network Monitor provide filters for this but I want to know how can I infer whether a packet is a TCP Keep-Alive or Keep-Alive Ack by looking at the header or payload.

tcp


Solution 1:[1]

Here's what Wireshark says about a keep-alive ACK:

Set when all of the following are true:

  • The segment size is zero.
  • The window size is non-zero and hasn’t changed.
  • The current sequence number is the same as the next expected sequence number. -The current acknowledgement number is the same as the last-seen acknowledgement number.
  • The most recently seen packet in the reverse direction was a keepalive.
  • The packet is not a SYN, FIN, or RST.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 user2233706

Related Questions

How do I debug error ECONNRESET in Node.js?

Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host

How to create TCP tunnels with Pagekite

Send client side data Queue to server side through Tcp/IP

what exactly is 'flow' in nfdump? can i get tcp sessions with nfdump?

Adb reverse tcp not working on android connected remotely

How to download a file from http using C?

Which TCP window update is most recent?

Can we send data from an android device to another android device directly (p2p) without server in the middle?

Consume TCP stream and redirect it to another Sink (with Akka Streams)

SQL Server not listening on IP address even if TCP/IP is enabled

Socket programming, what about "CLOSE_WAIT", "FIN_WAIT_2" and "LISTENING"?

How to properly close a Node.js TCP server?

TCP Send Buffer not doing anything

Why is socket linger used after socket close?