I need to analyze a traffic-dump on my network to check if all the PCs have enabled tcp keep-live features. I'm using tcpdump for that purpose.
What I need to know is if there is a possibility to filter for only the keep-alive packets.
On windows I see that wireshark can do that, but on my linux system, which has only console mode, I didn't know how filter that sort of packet.
A keepalive probe is a packet with no data in it and the ACK flag turned on
port="port_number_being_used"
intf="name_of_the_network_interface"
tcpdump -pni ${intf} -v "tcp port ${port} and ( tcp[tcpflags] & tcp-ack != 0 and ( (ip[2:2] - ((ip[0]&0xf)<<2) ) - ((tcp[12]&0xf0)>>2) ) == 0 ) "
what this does:
Disclaimer: not actually tested, but should point you in a good direction
NOTE: breakdown of the tcpdump filter to make it more readable. probably can take out the first set of parens.
tcp port ${port}
and
(
tcp[tcpflags] & tcp-ack != 0
and
(
(ip[2:2] - ((ip[0] & 0xf) << 2))
-
((tcp[12] & 0xf0) >> 2)
) == 0
)
Wireshark uses the same capture syntax as tcpdump. Both work from libpcap. However, I think the feature you are looking at in Wireshark is a display filter which heuristically analyzes neighboring packets. I think the best you can do at capture is to look for 1-byte or 0-byte ACKs in response to a keep-alive request. Try this;
tcpdump -vv "tcp[tcpflags] == tcp-ack and less 1"
and see if you get traffic between the expected hosts.
RFC 1122 covers TCP Keep-alives and leaves much of the implementation up to the vendor.
Also, you could consider using tcpdump on your Linux host to capture to a file and then transfer the capture to your workstation for analysis.
Answering this because I needed it myself and this question was my first hit for 'tcpdump keepalive'
Here in the future you can install the text-mode tshark to get this, eg
$ sudo tshark -n -i eth0 tcp port 5757 and host 1.126.111.153
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
** (tshark:123434) 01:46:47.004576 [Main MESSAGE] -- Capture started.
** (tshark:123434) 01:46:47.004665 [Main MESSAGE] -- File: "/tmp/wireshark_eth0FBWJ22.pcapng"
1 0.000000000 1.126.111.153 → 172.31.40.200 TCP 66 42785 → 5757 [SYN] Seq=0 Win=11300 Len=0 MSS=1400 SACK_PERM=1 WS=1
2 0.000086768 172.31.40.200 → 1.126.111.153 TCP 66 5757 → 42785 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.151708734 1.126.111.153 → 172.31.40.200 TCP 60 42785 → 5757 [ACK] Seq=1 Ack=1 Win=11300 Len=0
4 0.151813470 1.126.111.153 → 172.31.40.200 TCP 61 42785 → 5757 [PSH, ACK] Seq=1 Ack=1 Win=11300 Len=7
5 0.151837972 172.31.40.200 → 1.126.111.153 TCP 54 5757 → 42785 [ACK] Seq=1 Ack=8 Win=64256 Len=0
6 30.490659989 1.126.111.153 → 172.31.40.200 TCP 60 [TCP Keep-Alive] 42785 → 5757 [ACK] Seq=7 Ack=1 Win=11300 Len=1
7 30.490721907 172.31.40.200 → 1.126.111.153 TCP 66 [TCP Keep-Alive ACK] 5757 → 42785 [ACK] Seq=1 Ack=8 Win=64256 Len=0 SLE=7 SRE=8
8 60.970668468 1.126.111.153 → 172.31.40.200 TCP 60 [TCP Keep-Alive] 42785 → 5757 [ACK] Seq=7 Ack=1 Win=11300 Len=1
9 60.970702292 172.31.40.200 → 1.126.111.153 TCP 66 [TCP Keep-Alive ACK] 5757 → 42785 [ACK] Seq=1 Ack=8 Win=64256 Len=0 SLE=7 SRE=8
