Score:2

Is there a way to obtain CPS and Thruoghput metrics in Linux?

aq flag

I want to analyze my Debian 9 server's network workload to detect some possible network overloads.

The main metrics I need to analyze are:

  • CPS (connections per second)
  • Throughput

Is there a way to obtain these metrics from within Linux?
I thought that CPS metric could be somehow obtained through conntrack NEW connections events but not sure that this would be the most proper way..

Sorry if obvious.

P.S. this server handles not only local traffic, it also forward a lot of traffic.

djdomi avatar
za flag
there are a lot of software that can be used to Monitor the Network. what is the goal you want to solve?
narotello avatar
aq flag
@djdomi I mentioned in my question that I want to detect the DoS by indirect signs. And I want it to do from within my server's OS.
djdomi avatar
za flag
in case of request to the webserver any ip which makes a lot of requests can be an attacker
narotello avatar
aq flag
@djdomi Okay, but this is not directly related to the method of obtaining CPS and Througput metrics. This is just a reflection on the topic of DoS attacks.
djdomi avatar
za flag
security discussion does imho not fit on serverfault.com. there's an extra site for that. you can create with Wireshark a file to verify that, but as long you keep your question generally it will not get any good answers
narotello avatar
aq flag
@djdomi The question is not about security, but about performance metrics. *"you can create with Wireshark a file to verify that"* - to verify what? What are you talking about?
Score:2
cn flag

I think it would be sufficient to describe these metrics' origins based on native Linux API.


Throughput

By the way, the throughput metric in general is something, that is external in relation to the testing object (OS Linux you're talking about). I.e. roughly speaking we have two hosts (e.g. client and server) and testing object between them. We blow the network traffic between client and server and record the (boundary) throughput of testing object (e.g. with iperf).
But from within OS Linux a simple way we can measure throughput is only per interface.
So you can just watch /proc/net/dev and calculate the delta of bytes per second:

sh-tst# cat /proc/net/dev 
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo: 87016202  715723    0    0    0     0          0         0 87016202  715723    0    0    0     0       0          0
  eth3:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth2:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth1: 246415305 2899662    0 132906    0     0          0       230  5466117   19016    0    0    0     0       0          0
  eth0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0

CPS

The same thing is for CPS metric. Basically it is an external measurement. But from within your Linux you can try to calculate it based on the /proc/net/stat/ip_conntrack:

sh-tst# cat /proc/net/stat/ip_conntrack 
entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart
000000f8  00001742 0003142f 0001e85a 00000079 00021333 0001e6cf 00003a3d 00003bc5 00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000
000000f8  00002389 0005f1a0 0003b6f3 00000085 0004286f 0003b59e 00003cea 00003e3f 00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000
000000f8  000002c0 00037a77 00000714 00000000 000382cb 00000825 00000724 00000616 00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000
000000f8  00000225 00026cf9 00000271 00000000 00026e48 00000348 000002bd 000001e6 00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000

From lnstat(8) man:

/proc/net/stat/ip_conntrack, /proc/net/stat/nf_conntrack Conntrack related counters. ip_conntrack is for backwards compatibility with older userspace only and shows the same data as nf_conntrack.

...

new Number of conntrack entries added which were not expected before.

In Linux connection tracking:

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and

So seems that you want to calculate delta new per second.

Read more:

Score:0
in flag

The sar command that comes with sysstat will do both.

To monitor connections per second sar -n TCP 1

active/s is the outbound TCP connections passive/s is the inbound TCP connections

for UDP sar -n UDP 1

To look at network throughput sar -n DEV (optionally add a 1 to monitor current per/second)

narotello avatar
aq flag
*"active/s is the outbound TCP connections passive/s is the inbound TCP connections"* - but how can I obtain transit (forwarded) connections?
narotello avatar
aq flag
Both `sar -n enp5s0` and `sar -n enp5s0 1` doesn't work. Looks like the wrong option: `Usage: sar [ options ] [ <interval> [ <count> ] ] Options are:`...
narotello avatar
aq flag
Also, for UDP it seems to show datagrams per second. But not every datagram represents new connection. UDP connection has timeout, so all the datagrams under this timeout belongs to the same connection. Basically, your method shows **packets per second** on transport layer, and only **local** (in/out) **packets**.
dubs avatar
in flag
The DEV is literal ie sar -n DEV not sar -n <DEV>. sar -n IP has fwddgm/s if that is more appropriate.
narotello avatar
aq flag
*"The DEV is literal ie sar -n DEV"* - Ok, thanks. `fwddgm/s` - unfortunately it's not the CPS metric, but more likely PPS - packets per second.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.