How to graph keep-alive timers from tcpdump

chrisraper · ‎07-17-2014

I am trying to use Splunk to monitor the time between keep alives between servers. The data has been captured using tcpdump (and filtered using awk) to only show the time, source and destination IP's and Ports (i.e. port 32640 & 32512).

I want to be able to graph the time between the keep alive per host, and show the average. Basically with the end goal being to see when the time between the keep alive between the servers start to increase (due to network latency etc).

A sample of the data is below.
192.168.10.50 is the server,

11:10:11.482331 10.0.6.190.32512 192.168.10.50.32640:
11:10:11.482523 10.0.6.98.32512 192.168.10.50.32640:
11:10:11.590070 10.0.6.185.32512 192.168.10.50.32640:
11:10:11.763787 10.0.6.2.32640 192.168.10.50.32640:
11:12:01.482331 10.0.6.190.32512 192.168.10.50.32640:
11:12:01.482523 10.0.6.98.32512 192.168.10.50.32640:
11:12:01.590070 10.0.6.185.32512 192.168.10.50.32640:
11:12:01.763787 10.0.6.2.32640 192.168.10.50.32640:
11:14:21.482331 10.0.6.190.32512 192.168.10.50.32640:
11:14:21.482523 10.0.6.98.32512 192.168.10.50.32640:
11:14:21.590070 10.0.6.185.32512 192.168.10.50.32640:
11:14:21.763787 10.0.6.2.32640 192.168.10.50.32640:

martin_mueller · ‎07-18-2014

I'm assuming the host's IP is extracted in src_ip.

base search | streamstats window=1 current=f global=f last(_time) as last_time by src_ip | eval diff = last_time - _time | timechart avg(diff) by src_ip

Copy over the neighboring timestamp to each event by src_ip, calculate difference, chart difference over time by src_ip.

How to graph keep-alive timers from tcpdump

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!