Why does a zero-window probe segment use a previous sequence number?

Issue

Why does a zero-window probe segment use a previous sequence number?

Sample of zero-window probe segments:

# tcpdump -nnvvS -r /tmp/0probe.cap
...skip
15:51:38.821359 IP (tos 0x0, ttl 64, id 25797, offset 0, flags [DF], proto TCP (6), length 1500)
    10.0.0.5.52543 > 10.0.0.6.7777: Flags [.], cksum 0x7b6b (incorrect -> 0xc4e9), seq 449541968:449543416, ack 814785370, win 115, options [nop,nop,TS val 92400718 ecr 18778655], length 1448
15:51:38.861373 IP (tos 0x0, ttl 64, id 10910, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.6.7777 > 10.0.0.5.52543: Flags [.], cksum 0x75c3 (incorrect -> 0x2c95), seq 814785370, ack 449543416, win 7, options [nop,nop,TS val 18778695 ecr 92400718], length 0
15:51:39.073437 IP (tos 0x0, ttl 64, id 25798, offset 0, flags [DF], proto TCP (6), length 948)
    10.0.0.5.52543 > 10.0.0.6.7777: Flags [P.], cksum 0x7943 (incorrect -> 0xbd39), seq 449543416:449544312, ack 814785370, win 115, options [nop,nop,TS val 92400971 ecr 18778695], length 896
15:51:39.073693 IP (tos 0x0, ttl 64, id 10911, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.6.7777 > 10.0.0.5.52543: Flags [.], cksum 0x75c3 (incorrect -> 0x274b), seq 814785370, ack 449544312, win 0, options [nop,nop,TS val 18778907 ecr 92400971], length 0
15:51:39.285437 IP (tos 0x0, ttl 64, id 25799, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.5.52543 > 10.0.0.6.7777: Flags [.], cksum 0x2605 (correct), seq 449544311, ack 814785370, win 115, options [nop,nop,TS val 92401183 ecr 18778907], length 0
15:51:39.285668 IP (tos 0x0, ttl 64, id 10912, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.6.7777 > 10.0.0.5.52543: Flags [.], cksum 0x75c3 (incorrect -> 0x2677), seq 814785370, ack 449544312, win 0, options [nop,nop,TS val 18779119 ecr 92400971], length 0
15:51:39.709469 IP (tos 0x0, ttl 64, id 25800, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.5.52543 > 10.0.0.6.7777: Flags [.], cksum 0x2389 (correct), seq 449544311, ack 814785370, win 115, options [nop,nop,TS val 92401607 ecr 18779119], length 0
15:51:39.709852 IP (tos 0x0, ttl 64, id 10913, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.6.7777 > 10.0.0.5.52543: Flags [.], cksum 0x75c3 (incorrect -> 0x24cf), seq 814785370, ack 449544312, win 0, options [nop,nop,TS val 18779543 ecr 92400971], length 0
15:51:40.557432 IP (tos 0x0, ttl 64, id 25801, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.5.52543 > 10.0.0.6.7777: Flags [.], cksum 0x1e91 (correct), seq 449544311, ack 814785370, win 115, options [nop,nop,TS val 92402455 ecr 18779543], length 0


Note:
15:51:39.073437 seq 449543416:449544312 <== Usual data segment
15:51:39.285437 seq 449544311       <== Probe segment using a previous sequence number
15:51:39.709469 seq 449544311       <== Probe segment using a previous sequence number
15:51:40.557432 seq 449544311       <== Probe segment using a previous sequence number

Why we see TCP Keep-Alive before TCP ZeroWindow?

20  0.212616000 10.0.0.1  10.0.0.2 [TCP Window Full] 32516 → 8000 [PSH, ACK] Seq=115025 Ack=1 Win=26880 Len=4864 TSval=655997846 TSecr=2971487238
21  0.000138000 10.0.0.2 10.0.0.1  [TCP ZeroWindow] 8000 → 32516 [ACK] Seq=1 Ack=119889 Win=0 Len=0 TSval=2971487450 TSecr=655997846
22  0.206869000 10.0.0.1  10.0.0.2 [TCP Keep-Alive] 32516 → 8000 [ACK] Seq=119888 Ack=1 Win=26880 Len=0 TSval=655998053 TSecr=2971487450
23  0.000129000 10.0.0.2 10.0.0.1  [TCP ZeroWindow] 8000 → 32516 [ACK] Seq=1 Ack=119889 Win=0 Len=0 TSval=2971487657 TSecr=655997846
24  0.415860000 10.0.0.1  10.0.0.2 [TCP Keep-Alive] 32516 → 8000 [ACK] Seq=119888 Ack=1 Win=26880 Len=0 TSval=655998469 TSecr=2971487657
25  0.857001000 10.0.0.1  10.0.0.2 [TCP Keep-Alive] 32516 → 8000 [ACK] Seq=119888 Ack=1 Win=26880 Len=0 TSval=655999326 TSecr=2971487657
26  0.000120000 10.0.0.2 10.0.0.1  [TCP ZeroWindow] 8000 → 32516 [ACK] Seq=1 Ack=119889 Win=0 Len=0 TSval=2971488930 TSecr=655997846
27  1.664734000 10.0.0.1  10.0.0.2 [TCP Keep-Alive] 32516 → 8000 [ACK] Seq=119888 Ack=1 Win=26880 Len=0 TSval=656000990 TSecr=2971488930
28  0.000130000 10.0.0.2 10.0.0.1  [TCP ZeroWindow] 8000 → 32516 [ACK] Seq=1 Ack=119889 Win=0 Len=0 TSval=2971490595 TSecr=655997846
29  3.326014000 10.0.0.1  10.0.0.2 [TCP Keep-Alive] 32516 → 8000 [ACK] Seq=119888 Ack=1 Win=26880 Len=0 TSval=656004317 TSecr=2971490595
30  0.000114000 10.0.0.2 10.0.0.1  [TCP ZeroWindow] 8000 → 32516 [ACK] Seq=1 Ack=119889 Win=0 Len=0 TSval=2971493921 TSecr=655997846

Environment

Red Hat Enterprise Linux
TCP

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Why does a zero-window probe segment use a previous sequence number?

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links