Are you sure they are zero window probes and not normal keep-alives?
A zero window probe contains one byte of payload just beyong the right edge
of the window, thats why they are
called zero window probes : send one extra byte of data even though the
window is zero to opportunistically probe
if the window has opened again.
zero window probes also usually run on a normal constant timer and usually
do not contain any exponential backoff.
a tcp keepalive on the other hand usually
transmit an "invalid" segment containing zer or 1 byte of payload just one
byte prior to the left edge of the window.
These usually have an exponential backoff in the same way as normal data
These segments have deliberately an sequence number outside of the expected
window so that they will
trigger an immediate ACK to be sent back from the other side.
An implementation that can not send an immediate ACK back to a keep-alive is