Linux – How filter only keep-alive packet with tcpdump

keep-alivelinuxtcpdump

I need to analyze a traffic-dump on my network to check if all the PCs have enabled tcp keep-live features.
I'm using tcpdump for that purpose.

What I need to know is if there is a possibility to filter for only the keep-alive packets.

On windows I see that wireshark can do that, but on my linux system, which has only console mode, I didn't know how filter that sort of packet.

Best Answer

A keepalive probe is a packet with no data in it and the ACK flag turned on

port="port_number_being_used"
intf="name_of_the_network_interface"
tcpdump -pni ${intf} -v "tcp port ${port} and ( tcp[tcpflags] & tcp-ack != 0 and ( (ip[2:2] - ((ip[0]&0xf)<<2) ) - ((tcp[12]&0xf0)>>2) ) == 0 ) "

what this does:

  • bit-wise and between tcp flags field and tcp-ack to make sure it is an ACK
  • The IP packet length (in bytes) - The IP header length - The TCP Header Length to make sure it has no data

Disclaimer: not actually tested, but should point you in a good direction

NOTE: breakdown of the tcpdump filter to make it more readable. probably can take out the first set of parens.

tcp port ${port}
and
(
 tcp[tcpflags] & tcp-ack != 0
 and
 (
  (ip[2:2] - ((ip[0] & 0xf) << 2))
  -
  ((tcp[12] & 0xf0) >> 2)
 ) == 0
)
Related Topic