[j-nsp] SYN/FIN ratio
Pavel Lunin
plunin at senetsy.ru
Sat Feb 27 11:34:33 EST 2010
Hi experts,
Could I ask someone to help me to get a piece of simple statistics. I'd
like to know ratio of numbers of TCP sessions closed normally and aged
out in some way in real-world Internet traffic.
A simple way to know this is to place a filter like the following to
catch the packets flowing to the Internet and then look at the counters.
filter count-tcp-flags {
term SYN {
from {
tcp-flags syn;
}
then {
count tcp-syn;
accept;
}
}
term FIN {
from {
tcp-flags fin;
}
then {
count tcp-fin;
accept;
}
}
term RST {
from {
tcp-flags rst;
}
then {
count tcp-rst;
accept;
}
}
term permit-any {
then accept;
}
}
Since each TCP session has one segment flagged SYN in each direction,
and one segment flagged FIN is needed to close a session, this seems to
be a good approximation. Sure, there cases when SYN doesn't mean a good
session and so on, but in high enough values is shouldn't matter a lot.
I tried to test it myself on a couple of enterprise edge routers,
forwarding just about 30 Mbps each, and got quite stable value of
FIN/SYN ratio — approx 90%. RST number is about 1.5% of SYNs.
I am afraid my environment is not representative enough to say it is
“almost always” so :)
If someone could share results of such a test, I would be very pleasant.
--
Kind regards,
Pavel
More information about the juniper-nsp
mailing list