Solved

How to filter keepalive packets with tcpdump

Posted on 2002-04-02
10
4,033 Views
Last Modified: 2013-12-07
Hi,

Can anyone tell how to filter out the 'keepalive' packets with tcpdump?

Paul.
0
Comment
Question by:Paul Sinnema
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6913053
What type of "keepalive" packets?  There is no universal "keepalive" that I am aware of.  This depends on the application and/or protocol.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6913293
Yep, I begrudgingly agree with Viking-fan scraig84. You'll need to identify the uniqueness of the 'keepalive' packets in question to isolate them.

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6914067
Well the obvious question then is. How do I do that? I'm no expert on the TCP subject. Tell me what to do.

Maybe I should ask this question to an Oracle specialist, because we're talking about 'keepalives' sent by the SQL*Net of Oracle.

I've added the (ENABLE=BROKEN) option to the 'tnsnames.ora' for the connection we use. This should result in the client sending 'keepalives' (I don't know which type).
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6914162
Adding the ENABLE=BROKEN causes keepalives . . . and you want to filter them? Or is it that you want to see if the client keepalives are actually arriving? Are you using the default SQL*Net port 1521 for TNS connections? What OS is the client running? On NT, for example, you have to configure keepalives in the registry

HKEY_LOCAL_MACHINE / System / CurrentControlSet / Tcpip / Parameters

And add a DWORD called KeepAliveTime with a value of 60000 (which equates to 1 minute). Then reboot.

What exactly are you looking for?

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6915248
Thanks Steve,

You're right. I have to refrase my question. We want to see if the keepalives are actually ariving on a Linux machine. We're using port 1521. We've changed the OS's default from 7200 secs to 30 secs using the following frase:

echo 30 >/proc/sys/net/ipv4/tcp_keepalive_time

We've added the following sentence to tnsnames.ora:

(ENABLE=BROKEN)

Well that's it. Tell me more.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 8

Expert Comment

by:scraig84
ID: 6915367
If 1521 is your destination TCP port, I believe you can just add "dst port 1521" to your tcpdump expression.  For more details, you can check out:

http://www.tcpdump.org/tcpdump_man.html
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6915469
First of all, I'd have the client open a TNS connection to your linux box and then have the client move away from the keyboard (do nothing). Then I'd run tcpdump and capture based on the client's IP address. scraig84's idea is ok if there's no other traffic on your network except the single client. But if you trap all the data destined for port 1521 on an oracle server you'll basically get everything. Actually, if the client is nearby it would be a lot easier to simply trap all of the outbound data at the client machine.

By the way, what are you trying to do? Are connections dropping when idle and you don't want them to? I'm pretty sure that by default an entry in the listener.ora file sets a connection timeout at 10 seconds. Attach to the listener and do 'show connection_timeout'.

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6917447
Thanks guys,

We had a problem with 'FAST REFRESH' on a 'SNAPSHOT'. The problem is as follows:

- We use a ISDN dailup connection to a customer where the remote database is.
- We start a 'FAST REFRESH' for several 'SNAPSHOTS' in the local database (replication).
- When the process starts a job at the remote database start to look in a so called 'LOG' to trace which entries for the table were altered since the last 'REFRESH'.
- Most of the time that takes longer than the ISDN line to drop (losing the connection) after 2 minutes.
- We hope that adding the (ENABLE=BROKEN) to the tnsnames.ora keeps the line open for as long as the database link is active.

We want to see if the 'keepalives' are actually sent.

Paul.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 50 total points
ID: 6918336
What are the keepalive timer values on the remote machine? If the connection drops after two minutes, then the keepalive interval needs to be less than two minutes. Is the ISDN "connection idle" timer set at 2 minutes?


LOW TECH:

Have the remote job start a ping back toward your linux box when it starts up.

Set the ISDN "no activity timer" to 10 or 15 minutes.

What's the OS on the remote machine?

Good luck.
Steve
0
 

Expert Comment

by:CleanupPing
ID: 9155743
Paul Sinnema:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Lets look at the default installation and configuration of FreeProxy 4.10 REQUIREMENTS 1. FreeProxy 4.10 Application - Can be downloaded here (http://www.handcraftedsoftware.org/index.php?page=download) 2. Ensure that you disable the windows fi…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now