This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter TCP SO_KEEPALIVE packets?

0

I would like to look for packets sent between to Linux 2.6.32 systems that are coming from the kernel due to sockets that have SO_KEEPALIVE set having been idle long enough to cause keep alive packets to be sent. What filter expression should I use? I'd prefer a capture filter but if only a display filter works I can use that instead. Thanks

asked 23 May '13, 15:06

token's gravatar image

token
6113
accept rate: 0%


2 Answers:

4

You might not be able to see this in the packets themselves unless they have some specific bytes that makes them distinguishable, and the keep-alives I have seen so far are usually normal TCP packets without any payload. The Wireshark TCP expert marks them as keep-alives though because it keeps track of the TCP session. You can filter for them by using the display filter, "tcp.analysis.keep_alive".

answered 23 May '13, 15:13

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 30 Jun '13, 23:59

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

0

TCP network packets with no data in it and the ACK flag turned on.

answered 30 Jun '13, 00:19

Inge%20Eivind%20Henriksen's gravatar image

Inge Eivind ...
111
accept rate: 0%

That'll also see normal ACK-only packets, sent because the machine sending the ACK-only packet has no data to transmit but needs to acknowledge data it received.

(30 Jun '13, 20:10) Guy Harris ♦♦