How to count dropped connections
Shachar Shemesh
shachar at shemesh.biz
Tue Jun 9 15:13:43 IDT 2009
Amos Shapira wrote:
>
> Maybe a clever iptables rule can count incoming SYN packets on the
> relevant ports (we listen on about 4-5 different ports) and then I can
> compare it against Apache access log for same period.
>
No need for anything special. Just do "iptables -L -v" to see how many
hits on each rule. iptables even has command option that give you the
stats and atomically zero the counters. All you need in addition is
grep, and you're almost set.
>
>> while apache log should be easily achievable by grep
>>
>
> If the TCP-level connection is dropped before an HTTP request is
> received then I'm not sure Apache's log will show it (just tried this
> on a Ubuntu desktop, don't know how much it indicates for CentOS 5).
>
Do you count that as a successful connection? It sounds to me like it is
not, which means that apache not listing it is actually a good thing.
What I would be worried about (not very, mind you) is SYN floods and
other stuff. Some failed TCP connections should not be counted (SYN is
invalid, three way handshake did not complete due to client
considerations, retransmitted SYNs etc.). The only way I can think of to
find those is a sniffer (I don't know of any tcpdump rules that can
match those, and I wouldn't trust its performance anyway, so I think a
dedicated one would work best).
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090609/b651a960/attachment.html>
More information about the Linux-il
mailing list