Network congestion is part of today's landscape. Latency and delayed packets have many negative effects, such as slow web page retrieval. When communicating with a web server, the client and server both use Hypertext Transport Protocol (HTTP) to communicate with each other.

If, during a session, the network becomes sluggish and both sides begin to experience slow response times, HTTP uses a method called keep-alive that keeps a session alive instead of dropping the connection and having to go through the expensive negotiation of reestablishing the connection.

A keep-alive packet doesn't have any data; it has the ACK flag set, and the sequence number is set to one less than the current sequence number. Keep-alive packets are sent between the client and the server to keep the session active and to verify that both sides are still responding.

If you would like to see an example of a keep-alive packet, go to https://www.cloudshark.org/captures/5618ff446df8. Once the page is open, select Export, which is found on the right-hand side of the interface, and then select Export a new pcapng with CloudShark comments and annotations, as shown here:

Open the cloushark_tcp-keep alive.pcapng file in Wireshark. Once open, select packet 158, right-click, and then select Follow |TCP Stream. You can also use the tcp.stream eq 17 display filter. Once you have filtered the traffic, you should see the following:

I have removed the coloring so you can see the exchange of keep-alive in packets 153 and 158. In this capture, it is most likely that the network is congested and latency is preventing the exchange of data. As a result, HTTP uses keep-alive packets, which are messages between both endpoints to keep the session alive.

Therefore, in addition to seeing duplicate acknowledgments when there is network congestion, you may see also multiple keep-alive packets.

Next, let's take a look at another indication of slow network speeds and congestion: the presence of retransmissions.