> > There are some distinguishing characteristics... it is the first packet > > sent by the client that is in state ESTABLISHED. it should have ACK set > > and no other flags. the tcp data length should be zero. > > Isn't that in itself a bit of a giveaway ? I can't think of a reason why a > zero-length packet should ever occur in the remainder of the data stream... ?
How to TCP keepalive packets look like? Also, isn't it possible that the third packet already carries data, in the general (read TCP protocol as it is written) case? You probably won't get that with the normal socket interface from userlevel, but does TCP forbid it? I don't think so. best regards Patrick
