I would like to look for packets sent between to Linux 2.6.32 systems that are coming from the kernel due to sockets that have SO_KEEPALIVE set having been idle long enough to cause keep alive packets to be sent. What filter expression should I use? I'd prefer a capture filter but if only a display filter works I can use that instead. Thanks
asked 23 May '13, 15:06
You might not be able to see this in the packets themselves unless they have some specific bytes that makes them distinguishable, and the keep-alives I have seen so far are usually normal TCP packets without any payload. The Wireshark TCP expert marks them as keep-alives though because it keeps track of the TCP session. You can filter for them by using the display filter, "tcp.analysis.keep_alive".
answered 23 May '13, 15:13
edited 30 Jun '13, 23:59
TCP network packets with no data in it and the ACK flag turned on.
answered 30 Jun '13, 00:19
Inge Eivind ...