I would like to look for packets sent between to Linux 2.6.32 systems that are coming from the kernel due to sockets that have SO_KEEPALIVE set having been idle long enough to cause keep alive packets to be sent. What filter expression should I use? I'd prefer a capture filter but if only a display filter works I can use that instead. Thanks asked 23 May '13, 15:06  token |
2 Answers:
You might not be able to see this in the packets themselves unless they have some specific bytes that makes them distinguishable, and the keep-alives I have seen so far are usually normal TCP packets without any payload. The Wireshark TCP expert marks them as keep-alives though because it keeps track of the TCP session. You can filter for them by using the display filter, "tcp.analysis.keep_alive". answered 23 May '13, 15:13  Jasper ♦♦ edited 30 Jun '13, 23:59  cmaynard ♦♦ |
TCP network packets with no data in it and the ACK flag turned on. answered 30 Jun '13, 00:19  Inge Eivind ... |
That'll also see normal ACK-only packets, sent because the machine sending the ACK-only packet has no data to transmit but needs to acknowledge data it received.