Not usually. They are just the messenger. It depends on when they happen.
I had this question come in from a client who had a trace file full of black lines and red text. It’s a great question about an event that Wireshark is designed to flag – which makes them appear like horrific errors on the screen.
Naturally, the question arises – if Wireshark is flagging this stuff, is it indicating something bad for my network or application performance?
Let’s examine why these events happen, what they indicate, and how we can use them to determine if there really is a deeper problem in play.
What is a TCP Keep Alive?
Before TCP can transfer data to another system, it first has to establish a socket, or connection, with the peer. In order to do this, it will fire off a TCP handshake (SYN – SYN/ACK – ACK). If successful, the connection will now be available to transmit data. While this is only a three packet exchange, it does represent some overhead, and does cost a roundtrip delay to set up.
Once the connection is established, a timer is started on each TCP stack that will eventually time out the connection. This means that if a socket is not in use for a specified amount of time, if the stack is configured to do so, it will send a TCP Keep Alive. This timer is a configurable setting and varies depending on the system.
The sending station is trying to see if the remote peer is dead, if the connection is still open and in use, or may just need to keep the connection open instead of suffering another handshake overhead. If the target does not respond, the sender may send several Keep Alives before finally sending a TCP reset to kill the socket. This is a good thing, since we don't want open/unused TCP connections staying open and hogging resources forever.