Originally posted by: dxdyd

Using AIX 7.1.

There is the big value of keep-alive counter:

~$ netstat -s | grep keep
        127054366 keepalive timeouts
                127052722 keepalive probes sent
                31 connections dropped by keepalive
        0 spliced connections keepalive timeout

Does anyone know how to catch these packets by tcpdump or another tool?

There is no output from such command:

tcpdump -i en0 -vv "tcp[tcpflags] == tcp-ack and less 1"

and wireshark doesn't help me (tool 'tcp.analysis.keep_alive').

Originally posted by: SivakumarKrishnasamy

Try the below tcpdump filter to see if this helps,

      tcpdump -vv -i en0 " ( tcp[tcpflags] & tcp-ack != 0 and ( (ip[2:2] - ((ip[0]&0xf)<<2) ) - ((tcp[12]&0xf0)>>2) -1 ) == 0 )"
 

Few things to consider here,

1. netstat reports cumulative statistics for all configured interfaces and so while the tcpdump captures packets specific to an interface, TCP connections over other interfaces may be sending these keepalive packets. So make sure you run tcpdump on the right interface.
2. Network options tcp_keepidle and tcp_keepintvl control, when and how frequently these keepalive packets are sent. So make sure you capture tcpdump long enough to capture the keepalive packets. For AIX default values, if a TCP connection is idle for 7200 seconds (14400 half seconds) only then the first keepalive probe is sent and then the value of tcp_keepintvl decides how frequently these probes are sent from this point on (these tunables can controlled at socket level too using setsockopt subroutine and will take preference over network options which are system wide)

Your wireshark filter string seems right and may be you didn't capture the keepalive packets (i.e during your tcpdump run there were no keepalive probes packets sent out). When you run above tcpdump command, make sure you see the relevant netstat statistics show an increase in numbers (which will confirm that the keepalive probe packets are sent out)