How to drop TCP connection without killing process?

Kevin D. Clark kevin_d_clark at access-4-free.com
Mon May 24 16:11:02 EDT 2004


Larry Cook <lcook at sybase.com> writes:

> Does anyone know of or have a utility that can drop TCP connections
> without killing the process that made the connection?

Warning: Cisco's sleek black gunships are speeding towards your office
         right now.  Ha ha.  At least they're not sending their most
         devastating weapon, which involves lawyers.


What you're asking for is kindof weird, but one way of accomplishing
what you're asking for is to use something like ipchains (depending on
what your system uses).  For example, something like this would work:

   ipchains -I input 1 -s <remote-ip> <remote-port> \
            -d <local-ip> <local-port> -p tcp -j DENY

   ipchains -I output 1 -s <local-ip> <local-port> \
            -d <remote-ip> <remote-port> -p tcp -j DENY

This basically instructs the IP stack to send all of the packets
related to the TCP session that you've specified off to
never-never-land.  The process(es) that have a socket to this TCP
session won't get notified that anything strange is going on.

> I'm trying dsniff/tcpkill and hunt, but both need to see some traffic
> first. Either there's no keep-alive packets being sent on the
> connection, or I'm not setting the filter correctly.
>
> Suggestions on other utilities or instructions on how to see TCP
> keep-alive packets using a tcpdump expression would be helpful.

This might be useful:

   tcpdump 'host my-computer tcp port my-local-port'

If there are any keepalives being sent, tcpdump WILL see them.

Although I need to tell you up front that:

   1:  by default, TCP doesn't use ANY keepalives.  The application
       that uses a TCP session needs to enable these manually.

   2:  If TCP keepalives are enabled, typically these keepalives are
       sent out every few hours or so.  So, if you're waiting to see
       an elusive TCP keepalive, you might be waiting for a while.

       Applications that need some sort of keepalive feature
       (especially if these are short) have to implement these things
       themselves and not depend on TCP's keepalive feature.


I hope this helps,

--kevin




More information about the gnhlug-discuss mailing list