By default, Wireshark likes to mark TCP keep-alive packets as scary errors; opting to display them in a gruesome black-and-red and scaring anyone trying to analyze TCP dumps in an effort to debug network problems.
The reasons for this are complex, but in short, most TCP keep-alive packets flagged as errors in Wireshark can be safely ignored. But having them pop up in the Wireshark trace means it’s a lot harder to spot real errors – kind of like the boy who cried wolf. Fortunately, we can filter them out quite easily.
Here’s a Wireshark analysis of some captured traffic that includes a lot of “false errors” involving TCP keep-alive packets during a regular HTTP(S) session:
And after applying this simple filter:
``` !(tcp.flags.ack && tcp.len <= 1) ```
We end up with a much better display that actually flags/highlights true causes for concern without overwhelming us with fake warnings about TCP keep-alive packets: