On Thu, Nov 16, 2006 at 07:41:41AM -0800, imfaus wrote:
From parsing through the documentation, I did'nt see any explanation
on keep-alives or how wire shark knows the TCP packet is in fact a
keep-alive packet. I have a particular capture and I am lead to
believe that there might be some
wireshark uses heuristics to determine if something is a keepalive or not:
It assumes it is a keepalive IF
the left edge decreases by one (sequence number 1 smaller than the next
expected one)
the segment contains exactly 0 or 1 bytes of payload data
/* KEEP ALIVE
* a keepalive
