I have a traffic capture from what I believe is a windows client. I’ve

Question

0

Asked: June 13, 20262026-06-13T02:03:05+00:00 2026-06-13T02:03:05+00:00

I have a traffic capture from what I believe is a windows client. I’ve

0

I have a traffic capture from what I believe is a windows client. I’ve noticed that from time to time it sends what are identified by Wireshark as “TCP Keep-Alive”, but instead of just setting ACK and sending no data, it backs up SEQ by one octet and resends that data.

(C = client, S = server, relative seq / ack)

(connected, data transferred back and forth)
1  C: PSH      Seq=21, Ack=41, Len=12
2  S: PSH ACK  Seq=41, Ack=33, Len=12
3  C:     ACK  Seq=33, Ack=53
4  S: PSH ACK  Seq=53, Ack=33, Len=1
5  C:     ACK  Seq=33, Ack=54
   ... 3 seconds pass ...
6  C:     ACK  Seq=32, Ack=54, Len=1 (resends the last octet from #1)
7  S:     ACK  Seq=54, Ack=33
   ...

Is this the normal behaviour for the windows stack when sending TCP keepalives?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-13T02:03:06+00:00

Editorial Team

2026-06-13T02:03:06+00:00Added an answer on June 13, 2026 at 2:03 am

That’s what a keep-alive segment is. It isn’t a separate piece of protocol, it’s just a redundant send with a sequence number that has already been acknowledged, to provoke an ACK with the current sequence number in reply. There’s no requirement that it set the PSH flag either.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a traffic capture from what I believe is a windows client. I’ve

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply