Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TCP connection is still in ESTABLISH state actually it is

From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Date: Sun, 30 May 2010 12:01:43 -0700
At 11:16 AM 5/30/2010, Bo Xu wrote:
Hello Guys ,

Today I have found 2 TCP connection is in ESTABLISH state while the peer side said they have already disconnected the connection , but even they stopped the application , the 2 TCP connection is till there :( .

Now I am wondering when the OS will release these 2 fake ESTABLISH connection . I digged this issue by google , and I have found these parameter in my OS which is AIX 5.8 . So AIX will release these 2 connection according the tcp_keepidle (2 hours ) , Am I right ?

And what tcp_keepintvl  stands for ?

        tcp_keepidle = 14400
             tcp_keepinit = 150
            tcp_keepintvl = 150

My understanding is that tcp_keepidle is the time before the first keep-alive probe is sent. If no response is received, tcp_keepintvl determines how often subsequent probes are sent. tcp_keepcnt determines how many probes are sent without a response before the connection is dropped.

Since I believe those values for AIX are in unit of 1/2 seconds, after 2 hours the first probe will be sent. Every 75 seconds another probe will be sent. When the tcp_keepcnt number have been sent (probably something like 8) with nothing received, the connection will be dropped. So I would expect the connection to be dropped about 2 hours and 11 minutes after the connection goes idle.