Keepalive connections can be accounted for by tracking the total bytes written and adding timestamps for when each thread reads from or writes to a given socket file descriptor. In the accompanying post, we'll discuss a second approach, which involves using uprobes to capture the necessary information.
Table of contents
Packet Capture Using eBPFApproach #1: Metadata Based CorrelationDrawbacks of Metadata Based CorrelationFinal ThoughtsSort: