How TCP Works - What is a TCP Keepalive?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at what is a tcp keepalive so if you found this video no doubt this is something you've seen in Wireshark or some other packet analyzer and you may be interested is this a drastic issue that's happening on the network does this indicate a network issue an application issue how should I interpret these packets well here you can see on your screen clearly we have some TCP keepalive lines going across the screen these are TCP keepalive packets and just at first look these look pretty bad it looks ugly we see this black line we've got this red text is this an error that we should dig into and investigate well the bottom line is it really just depends on when a TCP keepalive happens now first let's talk about what it is and why it's built and then we'll go into some of the scenarios that we may find these in and last we're going to talk about when we should be concerned about these now to just take us through this one transaction this is just a simple client-server connection it's using a web-based application and the client is doing a request and it's getting a response we see these issues so first of all we see that a packet goes this first packet this is a syn packet this is coming from a client to the server and it's sending it's trying to open up a port for 3333 on the server it's sending its sequence number and other information in that syn packet this is just a standard way that a client goes and initiates a connection the next packet down almost 100 milliseconds later we see the server come back with a syn ACK that means that the server is listening it does here on that port and it's willing to talk back to the client it has the capacity it has the resource it's able to open up a connection and finally we see an acknowledgment packet from the go from the client to the server and now this is our standard TCP handshake see now that TCP connection is open and available for that client to use to send data to its partner to send data to that server now what is it trying to send now the client it sends a get it's asking for a file or it's sending a request to that server this is data that the client needs to be able to send to the users application that they're using and here we see in this first packet if we notice the length this is a 15 14 byte packet if we add the FCS here at FCS header on that Ethernet frame this would actually be a full size frame 1518 bytes so this is a full-sized packet and it has what I call trickle bytes that go down into the next packet so the request was so big that the client had to break it up into two packets and send those to the server now notice here we're still not terribly long into this transaction just over 100 milliseconds or so and finally we get an acknowledgment we do here an acknowledgment back from the server the server is acknowledging our get it's saying 106 milliseconds later that's our network round-trip time the reason why we know that is because it's about the same amount of time as our initial network round-trip time that we saw in the handshake so we see this 106 milliseconds come back this is acknowledging our get this tells us that the server has our request and it's processing that request we just haven't heard any data back yet from the server so this is where our TCP keepalive comes in so the client waits 45 seconds for this is 45 full seconds and it still hasn't heard anything back from that server in terms of data so what happens on the client side is the client maintains this TCP timer that will eventually timeout and the client will have to shut down this connection that's it due to inactivity if that connection isn't being used well before it gets that bad the client first wants to know hey mister server are we still talking are we still having a conversation so the client sends a keepalive and that's why it's called a keepalive it's keeping this TCP connection up and active so it doesn't have to shut it down so we send it's a 64 bytes a small packet that gets sent to the server one byte of data is sent to the server then the server comes back and acknowledges that 100 milliseconds later the server says this is this is a TCP keepalive ACK if I scroll down just a little bit you can see that ACK were there alright so this is the server coming back and saying yes I am here I heard you we're still active and mr. application up above me is still working on that response so sit tight okay so the client does it waits another 45 seconds of inactivity so here we can see that the client has a 45 second keepalive timer as soon as out 45 seconds expires the client if it hasn't heard anything from the link partner it's going to try to keep this connection open it sends another keepalive which again gets acknowledged in about the network round-trip time that we expect the initial network round-trip time in the handshake and finally see 18 seconds after we see this TC this keep alive ACK we finally see a response from the server now this packet actually has data in it it's a TCP 200 okay this is the response packet that we've been waiting for and then the subsequent packets after this are all involved in that response so up to this point we've waited 108 seconds I come over here to my timer that starts at the beginning of the conversation and runs it's a running total so here we've been waiting a hundred and eight seconds for this application to get back to us so in this specific case see the keepalive didn't want to shut the TCP connection down before the response came back so those TCP cable lives were critical and making sure that we would keep this connection open now what's to blame for this delay it's certainly not the network we don't see any retransmissions we don't see any significant changes in the amount of network round-trip time this is 100 percent due to application performance the application was sitting on this for 108 seconds what it was doing we don't know from this position we can get another capture file for that but we can clearly see the nature of keeper lives and what they do based on this trace now again are they good are they bad simply messengers they're telling us that this connection should not be shut down now we might also see TCP keep alive packets flowing by phone round in a back-end environment in an application sometimes when like an application server needs to talk to a database server maybe there simply have not been client requests coming into the system and that application server wants to keep TCP connections open with the back-end database that way when a new client connection our new client request comes into the system the application server doesn't have to resend a syn syn ack ack we don't have to suffer this overhead we can just send the request whatever it may be onto the wire immediately so this tells us also that it's also possible that the remote peer the server it's gone offline or there's been a network error and the client hasn't heard back from it so if we never heard these TCPS I'm sorry these keepalive acknowledgments if we never saw these come back from the server and we just saw these keeper lives from the client well that could indicate that there's a network issue or that that server went offline so again hopefully this was helpful in what is a tcp keepalive why they're generated and when they're an issue a lot of times they look a lot scarier on the screen and they really are in many cases they're simply benign packets in designed to keep that TCP connection open so thank you for tuning in to this video and stay tuned for more tips and tricks on how to use Wireshark to troubleshoot Network and application performance problems thank you for watching this video bye packet pioneer if you're experiencing network or application performance problems and you need help resolving them please get in touch with us at WWE TA or calm or by sending us an email at packet pioneer at gmail.com
Info
Channel: Chris Greer
Views: 70,974
Rating: undefined out of 5
Keywords: Wireshark, Transmission Control Protocol (Protocol), Packet Analyzer, filters, packet analysis, protocol analysis, tcp keep alive, tcp keep-alive, tcp analysis, packet pioneer, chris greer, tcp sequence numbers, wireshark tutorial 2020, wireshark tutorial, how tcp works, troubleshooting with wireshark, free wireshark, free wireshark course, free wireshark tutorial, tcp/ip, free wireshark training, network troubleshooting
Id: j8lgFaIajko
Channel Id: undefined
Length: 8min 25sec (505 seconds)
Published: Wed Nov 19 2014
Related Videos
TCP Fundamentals Part 1 // TCP/IP Explained with Wireshark
Chris Greer
384K
How TCP Works - How to Interpret the Wireshark TCPTrace Graph
Chris Greer
24K
TCP Duplicate Acks Explained // How to Troubleshoot Them
Chris Greer
31K
How TCP Works - Duplicate Acknowledgments
Chris Greer
43K
Analyzing Conversations - Wireshark QUICK TIP!
Chris Greer
7.5K
How TCP RETRANSMISSIONS Work // Analyzing Packet Loss
Chris Greer
42K
Troubleshooting with Wireshark - Analyzing TCP Resets
Chris Greer
94K
How TCP Works - The Handshake
Chris Greer
292K
How TCP really works // Three-way handshake // TCP/IP Deep Dive
David Bombal
577K
How TCP Works - Selective Acknowledgment (SACK)
Chris Greer
50K
SPYWARE Analysis with Wireshark - STOLEN LOGINS!
Chris Greer
12K
How to Use the TCP Completeness Value in Wireshark
Chris Greer
8.4K
Troubleshooting with Wireshark - Find Delays in TCP Conversations
Chris Greer
79K
How IP FRAGMENTATION Works
Chris Greer
37K
Fix a TCP ZERO Window // TCP Deep Dive with Wireshark
Chris Greer
19K
OAuth 2.0 & OpenID Connect (OIDC): Technical Overview
VMware End-User Computing
130K
TCP Congestion Control // Hands-On Deep Dive TCP Analysis with Wireshark
Chris Greer
34K
How TCP Works - Window Scaling Graph
Chris Greer
14K
How TCP Works - Window Scaling
Chris Greer
86K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.