11

I ran Wireshark on my PC and found that my chrome browser was sending LOTS of Keep-alive packets even when there are no sites loaded in the browser, and even when there are no extensions installed!! I don't recognize the IPs that Chrome is trying to contact. Does anyone know what this is all about?

I have three PCs and two out of three exhibit this behavior of sending keep-alive packets. One does not. It's possible that this is due to wireshark settings??

I can post details of the OS, Chrome version and wireshark export for each if necessary but it would get pretty long. So, please let me know if there is any other info I should post that would help determine the cause of this.

Edit

This is embarassing. I can't seem to replicate the problem on either PCs right now! I saved my earlier wireshark logs as .txt files so I'm running wireshark again to capture some .pcap files and I'm not seeing the problem! I get pairs of random keep-alive packets as opposed to 35+ in a row as previously. See http://cloudshark.org/captures/12d73929a99f for what I can log at time of this edited posting.

Earlier text output can be seen at http://pastebin.com/69JSMF7K

Would there be any specific reason that these keep-alive packets happen more often during certain times of the day?

nmc
  • 237

3 Answers3

5

You may want to check out this article regarding keep-alive timeouts:

Interestingly one of the other things I noticed while doing this test with Wireshark is that after 45 seconds, Chrome would send a TCP keep-alive packet, and would keep doing that every 45 seconds until the 5 minute timeout. No other browser would do this.

My guess would be that Chrome had opened a connection to the Google Instant server (probably as soon as you typed something in the browser bar) and then is sending the keep-alives to keep the connection open until the browser is finally closed. As mentioned in the article above, many NAT routers will close an idle connection after 2 minutes so various browsers will send keep-alives on intervals shorter than that to keep connections open.

Sanjay Sheth
  • 762
1

@Sathya: I don't think so. My version is up to date and as Spiff said, the IPs don't appear to belong to Google. – nmc 2 days ago

Erm... http://74.125.226.92 and http://74.125.226.34/ are Google for sure. ;)

It's either related to Google Updater or Google Instant, just to keep a connection with Google open...

Tamara Wijsman
  • 57,881
0

Are you sure that it is keep-alive? Every keystroke entered in the browser or a search box is sent to Google as they are typed. Maybe that is what you are seeing. The EULA when you install any Google software also states that searches from all your browsers will be sent and not just Google's. That is then saved on their servers with a unique ID from your computer so they can keep track of which data came from your machine.

Abraxas
  • 1,265