By default, Wireshark likes to mark TCP keep-alive packets as scary errors; opting to display them in a gruesome black-and-red and scaring anyone trying to analyze TCP dumps in an effort to debug network problems.

The reasons for this are complex, but in short, most TCP keep-alive packets flagged as errors in Wireshark can be safely ignored. But having them pop up in the Wireshark trace means it’s a lot harder to spot real errors – kind of like the boy who cried wolf. Fortunately, we can filter them out quite easily.

Here’s a Wireshark analysis of some captured traffic that includes a lot of “false errors” involving TCP keep-alive packets during a regular HTTP(S) session:

And after applying this simple filter:

!(tcp.flags.ack && tcp.len <= 1)

We end up with a much better display that actually flags/highlights true causes for concern without overwhelming us with fake warnings about TCP keep-alive packets:

Propose an edit