How to count dropped connections
Amos Shapira
amos.shapira at gmail.com
Tue Jun 9 14:42:08 IDT 2009
2009/6/9 Noam Rathaus <noamr at beyondsecurity.com>:
> Amos,
>
> What are you trying to count? I hope I understood you correctly, you want to
> know how many HTTP requests are being handled, against those that couldn't
> be handled due to lack of connections.
Yes. "How many connections from customers have reached our servers but
failed to complete the TCP hand shake and send a request?".
>
> netstat is a very bad counting devices, unless you are counting packets.
I know. I try to use it as a tool to find counters which might exist
in the kernel. For instance - it can't tell me which port or IP
address the connections failed on.
>
> If you want to count "requests" I would count incoming connection requests
> (SYN) vs apache log of requests
>
> The incoming connections should be counted using tcpdump or similar
I just read during my googl'ing that tcpdump is not reliable - it
could report packets more than once, e.g. packets which haven't been
sent or count packets more than once. Also it slows down the network
for time-stamping.
Maybe a clever iptables rule can count incoming SYN packets on the
relevant ports (we listen on about 4-5 different ports) and then I can
compare it against Apache access log for same period.
>
> while apache log should be easily achievable by grep
If the TCP-level connection is dropped before an HTTP request is
received then I'm not sure Apache's log will show it (just tried this
on a Ubuntu desktop, don't know how much it indicates for CentOS 5).
Thanks,
--Amos
More information about the Linux-il
mailing list