Wireshark-users: [Wireshark-users] Bad TCP - Why ?
From: Steve Smith <smithzsteve@xxxxxxxxxxxxxx>
Date: Thu, 18 Feb 2010 09:06:04 +0000
Hello Folks

Can anyone tell me why Wireshark decides these TCP keep-alives are bad ? It's not the checksum.

Any help would be much appreciated.

Below is an export of packets 28-31

Thanks for any assistance.


No.     Time        Source                Destination           Protocol Info
     28 52.431700   10.160.104.6          10.160.120.202        TCP      [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0

Frame 28 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Feb 15, 2010 17:25:45.717539000
    [Time delta from previous captured frame: 7.198603000 seconds]
    [Time delta from previous displayed frame: 7.198603000 seconds]
    [Time since reference or first frame: 52.431700000 seconds]
    Frame Number: 28
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
    Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
        0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x0565 (1381)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 60
    Protocol: TCP (0x06)
    Header checksum: 0x82f3 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.160.104.6 (10.160.104.6)
    Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
    Source port: 1124 (1124)
    Destination port: 4000 (4000)
    [Stream index: 0]
    Sequence number: 454    (relative sequence number)
    Acknowledgement number: 93    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 3072
    Checksum: 0x94af [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 27]
        [The RTT to ACK the segment was: 7.198603000 seconds]
        [TCP Analysis Flags]
            [This is a TCP keep-alive segment]
                [Expert Info (Note/Sequence): Keep-Alive]
                    [Message: Keep-Alive]
                    [Severity level: Note]
                    [Group: Sequence]



No.     Time        Source                Destination           Protocol Info
     29 52.468294   10.160.120.202        10.160.104.6          TCP      [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0

Frame 29 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Feb 15, 2010 17:25:45.754133000
    [Time delta from previous captured frame: 0.036594000 seconds]
    [Time delta from previous displayed frame: 0.036594000 seconds]
    [Time since reference or first frame: 52.468294000 seconds]
    Frame Number: 29
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
    Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
        0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xec02 (60418)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (0x06)
    Header checksum: 0x5b55 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.160.120.202 (10.160.120.202)
    Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
    Source port: 4000 (4000)
    Destination port: 1124 (1124)
    [Stream index: 0]
    Sequence number: 93    (relative sequence number)
    Acknowledgement number: 455    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x80ae [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [This is an ACK to a TCP keep-alive segment]
                [Expert Info (Note/Sequence): Keep-Alive ACK]
                    [Message: Keep-Alive ACK]
                    [Severity level: Note]
                    [Group: Sequence]



No.     Time        Source                Destination           Protocol Info
     30 59.931091   10.160.104.6          10.160.120.202        TCP      [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0

Frame 30 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Feb 15, 2010 17:25:53.216930000
    [Time delta from previous captured frame: 7.462797000 seconds]
    [Time delta from previous displayed frame: 7.462797000 seconds]
    [Time since reference or first frame: 59.931091000 seconds]
    Frame Number: 30
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
    Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
        0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xf3b3 (62387)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 60
    Protocol: TCP (0x06)
    Header checksum: 0x94a4 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.160.104.6 (10.160.104.6)
    Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
    Source port: 1124 (1124)
    Destination port: 4000 (4000)
    [Stream index: 0]
    Sequence number: 454    (relative sequence number)
    Acknowledgement number: 93    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 3072
    Checksum: 0x94af [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 29]
        [The RTT to ACK the segment was: 7.462797000 seconds]
        [TCP Analysis Flags]
            [This is a TCP keep-alive segment]
                [Expert Info (Note/Sequence): Keep-Alive]
                    [Message: Keep-Alive]
                    [Severity level: Note]
                    [Group: Sequence]



No.     Time        Source                Destination           Protocol Info
     31 59.939739   10.160.120.202        10.160.104.6          TCP      [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0

Frame 31 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Feb 15, 2010 17:25:53.225578000
    [Time delta from previous captured frame: 0.008648000 seconds]
    [Time delta from previous displayed frame: 0.008648000 seconds]
    [Time since reference or first frame: 59.939739000 seconds]
    Frame Number: 31
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
    Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
        0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xec04 (60420)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (0x06)
    Header checksum: 0x5b53 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.160.120.202 (10.160.120.202)
    Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
    Source port: 4000 (4000)
    Destination port: 1124 (1124)
    [Stream index: 0]
    Sequence number: 93    (relative sequence number)
    Acknowledgement number: 455    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x80ae [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [This is an ACK to a TCP keep-alive segment]
                [Expert Info (Note/Sequence): Keep-Alive ACK]
                    [Message: Keep-Alive ACK]
                    [Severity level: Note]
                    [Group: Sequence]