Wireshark - Beware of false positive marking by Wireshark - TCP Keep alive

 Wireshark tries to provide intelligent information for the user, but no matter what, it is based on characteristic of the packet mentioned in TCP Analysis

For example, it is very possible that Wireshark mark TCP Keep-alive wrongly.

Look at the below, Wireshark mark these packets are TCP keep-alive packet and acknowledgement. At first glace, they look legitimate.

But if you understand how TCP keep-alive work under Linux, these packets does not falls into the TCP keep alive packet pattern.

Based on TCP Man Page, it said

So, TCP keep alive packet will only start to send after a default of 7200 seconds (2 hours). Next, it will only send 9 probes for an interval of 75 seconds apart.

For the above example, those packets was not send after 2 hours of idle connection and they are send at 60 seconds apart. Wireshark marked them as TCP keep alive packet likely because of their payload of 1.

To demonstrate a genuine TCP keep alive packets, below is a genuine TCP keep alive mechanism in action

You can see that 

1. There is a gap of 2 hours between the earlier packet and the TCP keep alive packet
2. Each packet are sent at 75 seconds interval
3. Each packet is 0 in bytes
4. There are only 9 probes
5. After 9 probes, the connection is close with RST flag

In summary, you should verify Wireshark analysis if you are in doubt