wireshark uses heuristics to determine if something is a keepalive or not:
It assumes it is a keepalive IF
the left edge decreases by one (sequence number 1 smaller than the next
expected one)
the segment contains exactly 0 or 1 bytes of payload data
/* KEEP ALIVE
* a keepalive contains 0 or 1 bytes of data and starts one byte prior
* to what should be the next sequence number.
* SYN/FIN/RST segments are never keepalives
*/
On 11/17/06, Stephen Fisher <[EMAIL PROTECTED]> wrote:
On Thu, Nov 16, 2006 at 07:41:41AM -0800, imfaus wrote:
> From parsing through the documentation, I did'nt see any explanation
> on keep-alives or how wire shark knows the TCP packet is in fact a
> "keep-alive" packet. I have a particular capture and I am lead to
> believe that there might be some keepalives, but I was curious. Does
> the tool look for a payload of 1 (in the TCP header) and a sequence
> number that is nonincrementing to determine if in fact the packet is a
> keep-alive packet?
I'm not sure how the keep-alives are detected without looking at the
code. TCP Keepalives show up in the Info column and can be seen by
using this display filter: tcp.analysis.keep_alive
Steve
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
