I have two servers each running a Java application that creates two separate TCP connections, one from HostA -> HostB and one from HostB -> HostA on separate ports.
I am told the TCP connection is lost and re-established, but the client is unable to provide me the time and date of when it happens.
Can I setup tcpdump on HostA to monitor the specific port purely to tell me when it disconnects? Same for HostB connection? I dont care about payload data etc.
I looked at the man page, found some HowTo's online, google searched, etc. I didnt see examples of what I am looking for. Thank you if you can help.
Best Answer
"Disconnecting" in TCP actually involves each host saying "I have nothing more to send" and the other host acknowledging that; when both hosts have done that, the connection is closed. See Closing a Connection in RFC 793.
As Nath noted, a connection can also be forcibly closed with a "reset" indication.
So what you're looking for are the FINs that indicate "I have nothing more to say" and the RSTs that indicate "I don't have a connection like that". You'd want to run tcpdump with a filter that looks for traffic to or from the specific port and that has the FIN flag set. With current versions of libpcap/WinPcap, you could use a filter such as
with XXX being the port number. Note that, for a clean close, this will capture multiple packets, as each side has to send a "I have no more data to send" indication.
This will, unfortunately, not work with IPv6, just with IPv4.