Monitoring TCP Connections

JaviGM · Jun 27, 2013, 2:24 PM

Hi! This is my first post!! I´m from Argentina and my English is very basic, i hope you understand me!!

I want to know how am i do to monitor TCP Connections, i need reports that shows me for example:

Average connections/sec
Peak connections/sec
Non-peak connections/sec

Many applications (ntop, sarg, bandwidthd, states, vnstat2, etc.) have many information but nothing about TCP connections.

Could you help me?

Best regards!

jimp · Jun 28, 2013, 4:13 PM

The states graph (Status > RRD Graphs, System tab, pick states from the drop-down) might be as close as you can get.

That doesn't just graph TCP, but all connections.

Diagnostics > pfInfo may also be useful

JaviGM · Jul 1, 2013, 10:09 AM

Thanks Jimp but i don´t understand this RRD Graphs?? Y axis shows "States, IP," i don't understand what means and in which units is expressed. Moreover, units appear as "m cps", i don´t understand it!! Where i can get information about these RRD graphs? Sorry but my english very basic!

Thank you!

jimp · Jul 1, 2013, 12:27 PM

The red line is the total number of states.

The legend under the graph shows which colors mean what things, but I'll expand on them a little here:

system-pfrate - The rate at which connections are changed (new connections, states expiring) expressed in changes per second.
system-pfstates - The total number of active states at that point in time.
system-pfnat - The number of the above states which are doing NAT.
system-srcip - The number of unique source IPs connected at a given time.
system-dstip - The number of unique destination IPs connected at a given time.

JaviGM · Jul 1, 2013, 1:19 PM

Again thank you jimp!!! My last question… i hope... Sorry for my ignorance but I don´t understand what "states" are... for example "system-pfstates - The total number of active states at that point in time" i don´t understand what "active states" are!! Are states=connections??

Thanks!

jimp · Jul 1, 2013, 1:49 PM

When a connection passes through the firewall, the firewall remembers that it was passed so the return traffic can flow automatically. This knowledge is called a "state".

For each user connection, two states are made - one on the way into the firewall, one on the way out. So if you have 20,000 states active, then you have approximately 10,000 user connections active.

JaviGM · Jul 2, 2013, 9:42 AM

Great!!

Thank you!!