[Bro] How to count concurrent connections

Bernhard Ager ager at net.in.tum.de
Fri Oct 12 08:34:02 PDT 2007 

On Thu, Oct 11, 2007 at 10:45:53AM -0700, Robin Sommer wrote:

> The event you're looking for is new_connection(). That one is raised
> for all connections for which Bro instantiates internal state, i.e.,
> it's the counterpart of connection_state_remove().

No, it is not :-) I only want fully established tcp connections. I
tried out new_connection() however, and it gives me about 8 times more
connections than there are fully-established tcp-connections (450k vs.
60k). By the way, I got my numbers now by using
connection_established() to detect new connections,
connection_state_remove() for decreasing the counter and a set of
conn_id to ensure that a connection is removed only once. The price -
of course - is the memory consumption of the extra table.

> Actually there is: the built-in resource_usage() returns a record
> which, among other stuff, contains the numbers of TCP, UDP, ICMP
> connections in memory. 

I tried out the built-in resource_usage() as well, it gives pretty
much the same results as the new_connection() approach:

1184669769.879156 total: 00116000  concurrent: 63310  max_TCP_conns: 63311  num_TCP_conns: 63310
1184669770.121984 total: 00117000  concurrent: 63796  max_TCP_conns: 63797  num_TCP_conns: 63796
1184669770.398366 total: 00118000  concurrent: 64256  max_TCP_conns: 64256  num_TCP_conns: 64256

However, sometimes, odd things happen. Like here, where
resource_usage()$max_TCP_conns almost doubles for a short period of
time (this is still in the startup phase):

1184669770.658614 total: 00119000  concurrent: 64683  max_TCP_conns: 64684  num_TCP_conns: 64683
1184669770.969641 total: 00120000  concurrent: 65106  max_TCP_conns: 73977  num_TCP_conns: 65106
1184669771.274491 total: 00121000  concurrent: 65511  max_TCP_conns: 83514  num_TCP_conns: 65511
1184669771.570219 total: 00122000  concurrent: 65973  max_TCP_conns: 93163  num_TCP_conns: 65973
1184669771.870853 total: 00123000  concurrent: 66452  max_TCP_conns: 102929  num_TCP_conns: 66452
1184669772.109635 total: 00124000  concurrent: 66873  max_TCP_conns: 112785  num_TCP_conns: 66873
1184669772.382840 total: 00125000  concurrent: 67299  max_TCP_conns: 122752  num_TCP_conns: 67299
1184669772.672518 total: 00126000  concurrent: 67767  max_TCP_conns: 67768  num_TCP_conns: 67767

After looking into the code this seems to happen exactly when the
underlying PDict object does a table resize.


Bye,
  Bernhard
-- 
Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
Ernst-Reuter-Platz 7
D-10587 Berlin

More information about the Bro mailing list