{"id":5344,"date":"2018-02-08T18:14:57","date_gmt":"2018-02-09T00:14:57","guid":{"rendered":"http:\/\/neosmart.net\/wiki\/?p=5344"},"modified":"2022-01-30T17:48:42","modified_gmt":"2022-01-30T23:48:42","slug":"filter-out-tcp-keep-alive-packets-in-wireshark","status":"publish","type":"post","link":"https:\/\/neosmart.net\/wiki\/filter-out-tcp-keep-alive-packets-in-wireshark\/","title":{"rendered":"Filter out TCP Keep-Alive packets in Wireshark"},"content":{"rendered":"

\"\"<\/a><\/p>\n

By default, Wireshark likes to mark TCP keep-alive packets as scary errors; opting to display them in a gruesome black-and-red and scaring anyone trying to analyze TCP dumps in an effort to debug network problems.<\/p>\n

The reasons for this are complex<\/a>, but in short, most TCP keep-alive packets flagged as errors in Wireshark can be safely ignored. But having them pop up in the Wireshark trace means it’s a lot harder to spot\u00a0real<\/em> errors – kind of like the boy who cried wolf. Fortunately, we can filter them out quite easily.<\/p>\n

<\/p>\n

Here’s a Wireshark analysis of some captured traffic that includes a lot of “false errors” involving TCP keep-alive packets during a regular HTTP(S) session:<\/p>\n

\"\"<\/a><\/p>\n

And after applying this simple filter:<\/p>\n

!(tcp.flags.ack && tcp.len <= 1)\r\n<\/code><\/pre>\n
We end up with a\u00a0much<\/em> better display that actually flags\/highlights true causes for concern without overwhelming us with fake warnings about TCP keep-alive packets:<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
By default, Wireshark likes to mark TCP keep-alive packets as scary errors; opting to display them in a gruesome black-and-red and scaring anyone trying to analyze TCP dumps in an effort to debug network problems. The reasons for this are complex, but in short, most TCP keep-alive packets flagged as errors in Wireshark can be […]<\/p>\n","protected":false},"author":505,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"class_list":["post-5344","post","type-post","status-publish","format-standard","hentry"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p3SlTq-1oc","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/posts\/5344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/users\/505"}],"replies":[{"embeddable":true,"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/comments?post=5344"}],"version-history":[{"count":3,"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/posts\/5344\/revisions"}],"predecessor-version":[{"id":5618,"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/posts\/5344\/revisions\/5618"}],"wp:attachment":[{"href":"https:\/\/neosmart.net\/wiki\/wp-json\/wp\/v2\/media?parent=5344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}