How to count dropped connections
Imri Zvik
imriz at inter.net.il
Tue Jun 9 18:02:19 IDT 2009
On Tuesday 09 June 2009 15:13:43 Shachar Shemesh wrote:
> > If the TCP-level connection is dropped before an HTTP request is
> > received then I'm not sure Apache's log will show it (just tried this
> > on a Ubuntu desktop, don't know how much it indicates for CentOS 5).
> >
>
> Do you count that as a successful connection? It sounds to me like it is
> not, which means that apache not listing it is actually a good thing.
>
> What I would be worried about (not very, mind you) is SYN floods and
> other stuff. Some failed TCP connections should not be counted (SYN is
> invalid, three way handshake did not complete due to client
> considerations, retransmitted SYNs etc.). The only way I can think of to
> find those is a sniffer (I don't know of any tcpdump rules that can
> match those, and I wouldn't trust its performance anyway, so I think a
> dedicated one would work best).
How about using iptables to count the TCP packets containing SYN's and
comparing it to the access_log entries? There are a couple of pitfalls here
that needs to be addressed (like retransmition of SYN packets), but this
could probably be avoided by using parsing script, which would eliminate the
duplicates.
More information about the Linux-il
mailing list