7

I need to analyze a traffic-dump on my network to check if all the PCs have enabled tcp keep-live features. I'm using tcpdump for that purpose.

What I need to know is if there is a possibility to filter for only the keep-alive packets.

On windows I see that wireshark can do that, but on my linux system, which has only console mode, I didn't know how filter that sort of packet.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
enzo1959
  • 195
  • 1
  • 1
  • 8

2 Answers2

8

A keepalive probe is a packet with no data in it and the ACK flag turned on

port="port_number_being_used"
intf="name_of_the_network_interface"
tcpdump -pni ${intf} -v "tcp port ${port} and ( tcp[tcpflags] & tcp-ack != 0 and ( (ip[2:2] - ((ip[0]&0xf)<<2) ) - ((tcp[12]&0xf0)>>2) ) == 0 ) "

what this does:

  • bit-wise and between tcp flags field and tcp-ack to make sure it is an ACK
  • The IP packet length (in bytes) - The IP header length - The TCP Header Length to make sure it has no data

Disclaimer: not actually tested, but should point you in a good direction

NOTE: breakdown of the tcpdump filter to make it more readable. probably can take out the first set of parens.

tcp port ${port}
and
(
 tcp[tcpflags] & tcp-ack != 0
 and
 (
  (ip[2:2] - ((ip[0] & 0xf) << 2))
  -
  ((tcp[12] & 0xf0) >> 2)
 ) == 0
)
Trevor Boyd Smith
  • 147
  • 2
  • 13
krugger
  • 411
  • 2
  • 4
  • Syntax error. There's 5 opening parens and 3 closing, but I can't get it to work even by closing them all. – Aaron Copley Nov 13 '12 at 00:56
  • 1
    This works : ` tcpdump -pni $intf -v "tcp port $port and ( tcp[tcpflags] & tcp-ack != 0 and ( (ip[2:2] - ((ip[0]&0xf)<<2) ) - ((tcp[12]&0xf0)>>2) ) == 0 ) " ` – enzo1959 Apr 29 '15 at 07:12
3

Wireshark uses the same capture syntax as tcpdump. Both work from libpcap. However, I think the feature you are looking at in Wireshark is a display filter which heuristically analyzes neighboring packets. I think the best you can do at capture is to look for 1-byte or 0-byte ACKs in response to a keep-alive request. Try this;

tcpdump -vv "tcp[tcpflags] == tcp-ack and less 1"

and see if you get traffic between the expected hosts.

RFC 1122 covers TCP Keep-alives and leaves much of the implementation up to the vendor.

Also, you could consider using tcpdump on your Linux host to capture to a file and then transfer the capture to your workstation for analysis.

Community
  • 1
Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • Thank Aaron for the answer ( and sorry for my late replay ). – enzo1959 Dec 11 '12 at 10:26
  • I found interesting the paraameter "less 1 " and I have tryed to use it but I discovered that on windows side wireshark show me that there are packet of lengh = 0 while on linux side a command like this # tcpdump -i eth0 -nNvv "tcp port 1959 " never show me packet of length = 0 and if I put a command with "less 1" I didn't see no more traffic # tcpdump -nNvv " less 2 " It seems that tcpdump is not able to manage packet of length null – enzo1959 Dec 11 '12 at 10:33
  • Sorry, you don't have to accept my answer if it didn't work for you. I tried it on my end and seemed to get traffic but I wasn't entirely sure what I was looking at (if it was indeed keep-alives or not.) – Aaron Copley Dec 11 '12 at 12:48
  • I have accepted the advie to save the to a file and then analize it with wireshark. When wireshark analize the file it report me about some reocrds with lenght equal 0, while tcpdump show me the same records with an higher length, in this case 52 bytes. – enzo1959 Dec 11 '12 at 14:36
  • Got it. Maybe tcpdump's length is the entire packet size with headers, and what Wireshark is showing is the length of the encapsulated payload? – Aaron Copley Dec 11 '12 at 16:06
  • The ack to a keepalive request have an internet packet length 52, but the whole frame len is 66 So to filter taht pachet I used this comand: tcpdump -i eth0 -nnv "port 1959 and tcp[tcpflags] == tcp-ack and ( less 66 and greater 66 )" But this filter get all packet with len 66. It should be more usefull to be able to filter based on the size of the tcp enclosed packed but I didn't find out how to do that. – enzo1959 Dec 12 '12 at 08:00