Solved

How to filter keepalive packets with tcpdump

Posted on 2002-04-02
10
4,297 Views
Last Modified: 2013-12-07
Hi,

Can anyone tell how to filter out the 'keepalive' packets with tcpdump?

Paul.
0
Comment
Question by:Paul Sinnema
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6913053
What type of "keepalive" packets?  There is no universal "keepalive" that I am aware of.  This depends on the application and/or protocol.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6913293
Yep, I begrudgingly agree with Viking-fan scraig84. You'll need to identify the uniqueness of the 'keepalive' packets in question to isolate them.

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6914067
Well the obvious question then is. How do I do that? I'm no expert on the TCP subject. Tell me what to do.

Maybe I should ask this question to an Oracle specialist, because we're talking about 'keepalives' sent by the SQL*Net of Oracle.

I've added the (ENABLE=BROKEN) option to the 'tnsnames.ora' for the connection we use. This should result in the client sending 'keepalives' (I don't know which type).
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 16

Expert Comment

by:SteveJ
ID: 6914162
Adding the ENABLE=BROKEN causes keepalives . . . and you want to filter them? Or is it that you want to see if the client keepalives are actually arriving? Are you using the default SQL*Net port 1521 for TNS connections? What OS is the client running? On NT, for example, you have to configure keepalives in the registry

HKEY_LOCAL_MACHINE / System / CurrentControlSet / Tcpip / Parameters

And add a DWORD called KeepAliveTime with a value of 60000 (which equates to 1 minute). Then reboot.

What exactly are you looking for?

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6915248
Thanks Steve,

You're right. I have to refrase my question. We want to see if the keepalives are actually ariving on a Linux machine. We're using port 1521. We've changed the OS's default from 7200 secs to 30 secs using the following frase:

echo 30 >/proc/sys/net/ipv4/tcp_keepalive_time

We've added the following sentence to tnsnames.ora:

(ENABLE=BROKEN)

Well that's it. Tell me more.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6915367
If 1521 is your destination TCP port, I believe you can just add "dst port 1521" to your tcpdump expression.  For more details, you can check out:

http://www.tcpdump.org/tcpdump_man.html
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6915469
First of all, I'd have the client open a TNS connection to your linux box and then have the client move away from the keyboard (do nothing). Then I'd run tcpdump and capture based on the client's IP address. scraig84's idea is ok if there's no other traffic on your network except the single client. But if you trap all the data destined for port 1521 on an oracle server you'll basically get everything. Actually, if the client is nearby it would be a lot easier to simply trap all of the outbound data at the client machine.

By the way, what are you trying to do? Are connections dropping when idle and you don't want them to? I'm pretty sure that by default an entry in the listener.ora file sets a connection timeout at 10 seconds. Attach to the listener and do 'show connection_timeout'.

Good luck.
Steve
0
 

Author Comment

by:Paul Sinnema
ID: 6917447
Thanks guys,

We had a problem with 'FAST REFRESH' on a 'SNAPSHOT'. The problem is as follows:

- We use a ISDN dailup connection to a customer where the remote database is.
- We start a 'FAST REFRESH' for several 'SNAPSHOTS' in the local database (replication).
- When the process starts a job at the remote database start to look in a so called 'LOG' to trace which entries for the table were altered since the last 'REFRESH'.
- Most of the time that takes longer than the ISDN line to drop (losing the connection) after 2 minutes.
- We hope that adding the (ENABLE=BROKEN) to the tnsnames.ora keeps the line open for as long as the database link is active.

We want to see if the 'keepalives' are actually sent.

Paul.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 50 total points
ID: 6918336
What are the keepalive timer values on the remote machine? If the connection drops after two minutes, then the keepalive interval needs to be less than two minutes. Is the ISDN "connection idle" timer set at 2 minutes?


LOW TECH:

Have the remote job start a ping back toward your linux box when it starts up.

Set the ISDN "no activity timer" to 10 or 15 minutes.

What's the OS on the remote machine?

Good luck.
Steve
0
 

Expert Comment

by:CleanupPing
ID: 9155743
Paul Sinnema:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question