Count number of tcp connections per second
up vote
0
down vote
favorite
I have a service which can only handle a max of 10 requests per second and I need to monitor how often this is exceeded. I have seen various solutions with tcpdump, ss, netstat, ntop but none seem to give what I need. I guess the monitoring would need to be split into two scripts. One collecting the data via tcpdump running as root e.g:
tcpdump -i eth0 src ldapproxy and port ldap and '(tcp-syn|tcp-ack)!=0'
and then another script to analyse the output and give a max queries per second since the last check and this is the bit where I am stuck.
linux networking monitoring
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
add a comment |
up vote
0
down vote
favorite
I have a service which can only handle a max of 10 requests per second and I need to monitor how often this is exceeded. I have seen various solutions with tcpdump, ss, netstat, ntop but none seem to give what I need. I guess the monitoring would need to be split into two scripts. One collecting the data via tcpdump running as root e.g:
tcpdump -i eth0 src ldapproxy and port ldap and '(tcp-syn|tcp-ack)!=0'
and then another script to analyse the output and give a max queries per second since the last check and this is the bit where I am stuck.
linux networking monitoring
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a service which can only handle a max of 10 requests per second and I need to monitor how often this is exceeded. I have seen various solutions with tcpdump, ss, netstat, ntop but none seem to give what I need. I guess the monitoring would need to be split into two scripts. One collecting the data via tcpdump running as root e.g:
tcpdump -i eth0 src ldapproxy and port ldap and '(tcp-syn|tcp-ack)!=0'
and then another script to analyse the output and give a max queries per second since the last check and this is the bit where I am stuck.
linux networking monitoring
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
I have a service which can only handle a max of 10 requests per second and I need to monitor how often this is exceeded. I have seen various solutions with tcpdump, ss, netstat, ntop but none seem to give what I need. I guess the monitoring would need to be split into two scripts. One collecting the data via tcpdump running as root e.g:
tcpdump -i eth0 src ldapproxy and port ldap and '(tcp-syn|tcp-ack)!=0'
and then another script to analyse the output and give a max queries per second since the last check and this is the bit where I am stuck.
linux networking monitoring
linux networking monitoring
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
edited Nov 21 at 21:06
Rui F Ribeiro
38.2k1475125
38.2k1475125
asked Apr 4 '16 at 12:02
Chris Lewis
11
asked Apr 4 '16 at 12:02
Chris Lewis
11
asked Apr 4 '16 at 12:02
Chris Lewis
11
11
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
Here's some awk to get you started:
awk '/ > /{
split($1,t,":"); time = (t[1]*60+t[2])*60+t[3]
diff = time-lasttime; lasttime = time
event[++i] = diff; window += diff; tod[i] = $1
while(window>=1){
window -= event[1]
for(j=1;j<i;j++){
event[j] = event[j+1]
tod[j] = tod[j+1]
}
i--
}
if(i+1>10) printf "%d events in %f secs at %sn",i+1,window,tod[i]
} '
It keeps (in array event) all the timestamps (converted to float seconds) which are in a running window of 1 second. When the window is exceeded by a new event, the 1st recorded event is removed and all the events shifted down one. i says how many events there are, not counting the one corresponding to the start of the window, which is always at relative time zero. The script prints how many events were in the window when the number exceeds 10. Example output:
11 events in 0.962827 secs at 14:53:51.262827
The pattern / > / is to match only incoming packets. You may need to refine this to match the lines that interest you.
answered Apr 4 '16 at 14:11
meuh
31k11754
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Here's some awk to get you started:
awk '/ > /{
split($1,t,":"); time = (t[1]*60+t[2])*60+t[3]
diff = time-lasttime; lasttime = time
event[++i] = diff; window += diff; tod[i] = $1
while(window>=1){
window -= event[1]
for(j=1;j<i;j++){
event[j] = event[j+1]
tod[j] = tod[j+1]
}
i--
}
if(i+1>10) printf "%d events in %f secs at %sn",i+1,window,tod[i]
} '
It keeps (in array event) all the timestamps (converted to float seconds) which are in a running window of 1 second. When the window is exceeded by a new event, the 1st recorded event is removed and all the events shifted down one. i says how many events there are, not counting the one corresponding to the start of the window, which is always at relative time zero. The script prints how many events were in the window when the number exceeds 10. Example output:
11 events in 0.962827 secs at 14:53:51.262827
The pattern / > / is to match only incoming packets. You may need to refine this to match the lines that interest you.
answered Apr 4 '16 at 14:11
meuh
31k11754
add a comment |
up vote
0
down vote
Here's some awk to get you started:
awk '/ > /{
split($1,t,":"); time = (t[1]*60+t[2])*60+t[3]
diff = time-lasttime; lasttime = time
event[++i] = diff; window += diff; tod[i] = $1
while(window>=1){
window -= event[1]
for(j=1;j<i;j++){
event[j] = event[j+1]
tod[j] = tod[j+1]
}
i--
}
if(i+1>10) printf "%d events in %f secs at %sn",i+1,window,tod[i]
} '
It keeps (in array event) all the timestamps (converted to float seconds) which are in a running window of 1 second. When the window is exceeded by a new event, the 1st recorded event is removed and all the events shifted down one. i says how many events there are, not counting the one corresponding to the start of the window, which is always at relative time zero. The script prints how many events were in the window when the number exceeds 10. Example output:
11 events in 0.962827 secs at 14:53:51.262827
The pattern / > / is to match only incoming packets. You may need to refine this to match the lines that interest you.
answered Apr 4 '16 at 14:11
meuh
31k11754
add a comment |
up vote
0
down vote
up vote
0
down vote
Here's some awk to get you started:
awk '/ > /{
split($1,t,":"); time = (t[1]*60+t[2])*60+t[3]
diff = time-lasttime; lasttime = time
event[++i] = diff; window += diff; tod[i] = $1
while(window>=1){
window -= event[1]
for(j=1;j<i;j++){
event[j] = event[j+1]
tod[j] = tod[j+1]
}
i--
}
if(i+1>10) printf "%d events in %f secs at %sn",i+1,window,tod[i]
} '
It keeps (in array event) all the timestamps (converted to float seconds) which are in a running window of 1 second. When the window is exceeded by a new event, the 1st recorded event is removed and all the events shifted down one. i says how many events there are, not counting the one corresponding to the start of the window, which is always at relative time zero. The script prints how many events were in the window when the number exceeds 10. Example output:
11 events in 0.962827 secs at 14:53:51.262827
The pattern / > / is to match only incoming packets. You may need to refine this to match the lines that interest you.
answered Apr 4 '16 at 14:11
meuh
31k11754
Here's some awk to get you started:
awk '/ > /{
split($1,t,":"); time = (t[1]*60+t[2])*60+t[3]
diff = time-lasttime; lasttime = time
event[++i] = diff; window += diff; tod[i] = $1
while(window>=1){
window -= event[1]
for(j=1;j<i;j++){
event[j] = event[j+1]
tod[j] = tod[j+1]
}
i--
}
if(i+1>10) printf "%d events in %f secs at %sn",i+1,window,tod[i]
} '
It keeps (in array event) all the timestamps (converted to float seconds) which are in a running window of 1 second. When the window is exceeded by a new event, the 1st recorded event is removed and all the events shifted down one. i says how many events there are, not counting the one corresponding to the start of the window, which is always at relative time zero. The script prints how many events were in the window when the number exceeds 10. Example output:
11 events in 0.962827 secs at 14:53:51.262827
The pattern / > / is to match only incoming packets. You may need to refine this to match the lines that interest you.
answered Apr 4 '16 at 14:11
meuh
31k11754
answered Apr 4 '16 at 14:11
meuh
31k11754
answered Apr 4 '16 at 14:11
meuh
31k11754
answered Apr 4 '16 at 14:11
meuh
31k11754
31k11754
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f274190%2fcount-number-of-tcp-connections-per-second%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
