Check SO_KEEPALIVE is being enabled

If you think tcp keepalives are being enabled but want to confirm this is relatively easy on Win08 / Win7.

To do this we create an etw trace using at netsh scenario and then view the resulting etl file in Event Viewer.

You can list the netsh trace scenarios like this:

PS C:\tmp> netsh trace show scenarios

Available scenarios (18):
AddressAcquisition : Troubleshoot address acquisition-related issues
DirectAccess : Troubleshoot DirectAccess related issues
FileSharing : Troubleshoot common file and printer sharing problems
InternetClient : Diagnose web connectivity issues
InternetServer : Troubleshoot server-side web connectivity issues
L2SEC : Troubleshoot layer 2 authentication related issues
LAN : Troubleshoot wired LAN related issues
Layer2 : Troubleshoot layer 2 connectivity related issues
MBN : Troubleshoot mobile broadband related issues
NDIS : Troubleshoot network adapter related issues
NetConnection : Troubleshoot issues with network connections

Lets start the trace (this grows fast so don’t let it run too long)

PS C:\tmp> netsh trace start scenario=NetConnection

Trace configuration:
Status: Running
Trace File: C:\Users\neverending\AppData\Local\Temp\NetTraces\NetTrace.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off

Now we start our app with keepalives enabled, what we are looking for here is the socket option command.

Stop the traced (Warning about Kernel Logger is because I have ProcExp running)

PS C:\tmp> netsh trace stop
Correlating traces … done
Warning: An instance of the ‘NT Kernel Logger’ is already running.
System information will not be added to the trace file.
Generating data collection … done
The trace file and additional troubleshooting information have been compiled as “C:\Users\neverending\AppData\Local\Temp\NetTraces\”.
File location = C:\Users\neverending\AppData\Local\Temp\NetTraces\NetTrace.etl
Tracing session was successfully stopped.

Open the trace in event viewer and look for event 1105.

Socket option being enabled

Socket option being enabled

You could also do a netmon packet capture. With color troubleshooting filters (these come with the latest parsers) the keepalive is highlighted and are usually easy to find given their regular time interval.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s