[Bro] How to count concurrent connections
ager at net.in.tum.de
Fri Oct 12 08:34:02 PDT 2007
On Thu, Oct 11, 2007 at 10:45:53AM -0700, Robin Sommer wrote:
> The event you're looking for is new_connection(). That one is raised
> for all connections for which Bro instantiates internal state, i.e.,
> it's the counterpart of connection_state_remove().
No, it is not :-) I only want fully established tcp connections. I
tried out new_connection() however, and it gives me about 8 times more
connections than there are fully-established tcp-connections (450k vs.
60k). By the way, I got my numbers now by using
connection_established() to detect new connections,
connection_state_remove() for decreasing the counter and a set of
conn_id to ensure that a connection is removed only once. The price -
of course - is the memory consumption of the extra table.
> Actually there is: the built-in resource_usage() returns a record
> which, among other stuff, contains the numbers of TCP, UDP, ICMP
> connections in memory.
I tried out the built-in resource_usage() as well, it gives pretty
much the same results as the new_connection() approach:
1184669769.879156 total: 00116000 concurrent: 63310 max_TCP_conns: 63311 num_TCP_conns: 63310
1184669770.121984 total: 00117000 concurrent: 63796 max_TCP_conns: 63797 num_TCP_conns: 63796
1184669770.398366 total: 00118000 concurrent: 64256 max_TCP_conns: 64256 num_TCP_conns: 64256
However, sometimes, odd things happen. Like here, where
resource_usage()$max_TCP_conns almost doubles for a short period of
time (this is still in the startup phase):
1184669770.658614 total: 00119000 concurrent: 64683 max_TCP_conns: 64684 num_TCP_conns: 64683
1184669770.969641 total: 00120000 concurrent: 65106 max_TCP_conns: 73977 num_TCP_conns: 65106
1184669771.274491 total: 00121000 concurrent: 65511 max_TCP_conns: 83514 num_TCP_conns: 65511
1184669771.570219 total: 00122000 concurrent: 65973 max_TCP_conns: 93163 num_TCP_conns: 65973
1184669771.870853 total: 00123000 concurrent: 66452 max_TCP_conns: 102929 num_TCP_conns: 66452
1184669772.109635 total: 00124000 concurrent: 66873 max_TCP_conns: 112785 num_TCP_conns: 66873
1184669772.382840 total: 00125000 concurrent: 67299 max_TCP_conns: 122752 num_TCP_conns: 67299
1184669772.672518 total: 00126000 concurrent: 67767 max_TCP_conns: 67768 num_TCP_conns: 67767
After looking into the code this seems to happen exactly when the
underlying PDict object does a table resize.
Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
More information about the Bro