Metrics
This feature is only available using the CLI.
Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats
.
$ cat /sys/packetshield/myinst/Other/stats
status : 0x0000
rx_total : 0
invalid : 0
whitelisted: 0
filtered : 0
out_related: 0
dns_resp : 0
udp_rsp : 0
syn : 0
rst : 0
ack : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns : 0
unmatched : 0
syncookie : 0
drop_syn : 0
drop_rst : 0
drop_ack : 0
delivered : 0
tx_total : 0
quic_init : 0
quic_0rtt : 0
quic_hshak : 0
quic_shrth : 0
quicretry : 0
drop_qnt : 0
drop_q0t : 0
drop_qhs : 0
drop_qsh : 0
status | current status of the context This value is a bitfield. It can be one or a combination of the different following values:
The value | ||||||||||
rx_total | counter of incoming packets on current context | ||||||||||
invalid | counter of invalid (from a protocol point of view) incoming packets on current context Possible reasons are:
| ||||||||||
whitelisted | counter of accepted incoming packets because they match one of the allowlist (whitelist) rules:
| ||||||||||
filtered | counter of dropped packets because of configured policy Possible reasons are:
| ||||||||||
out_related | counter of accepted incoming TCP packets related to a known outbound session | ||||||||||
dns_rsp | counter of accepted incoming UDP packets related to a known outbound DNS query | ||||||||||
udp_rsp | counter of accepted incoming UDP packets related to a known outbound UDP packet | ||||||||||
syn | counter of incoming TCP SYN packets | ||||||||||
rst | counter of incoming TCP RST packets | ||||||||||
ack | counter of incoming TCP ACK packets | ||||||||||
unknown_ttl | counter of incoming packets with a suspect TTL | ||||||||||
ttlfiltered | counter of dropped packets in order to validate TTLs | ||||||||||
established | counter of accepted incoming TCP packets related to a known session | ||||||||||
newconns | counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections) or incoming QUIC INIT/0-RTT packets which do not contain a token | ||||||||||
unmatched | counter of incoming TCP RST and ACK packets or incoming QUIC handshake/short header packets on protected ports and not related to an established session | ||||||||||
syncookie | counter of successfully generated SYN cookies | ||||||||||
drop_syn | counter of dropped SYN packets because generation of SYN cookies failed | ||||||||||
drop_rst | counter of dropped incoming TCP RST packets on protected port because not related to a known session | ||||||||||
drop_ack | counter of dropped incoming TCP ACK packets on protected port because not related to a known session | ||||||||||
delivered | counter of packets delivered to system stack. If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered. | ||||||||||
total_tx | counter of total outgoing packets (except generated ones) | ||||||||||
quic_init | Counter of incoming datagrams starting with a QUIC INIT packet on UDP protected ports. | ||||||||||
quic_0rtt | Counter of incoming datagrams starting with a QUIC 0-RTT packet on UDP protected ports. | ||||||||||
quic_hshak | Counter of incoming datagrams starting with a QUIC handshake packet on UDP protected ports. | ||||||||||
quic_shrth | Counter of incoming datagrams starting with a QUIC short header packet on UDP protected ports. | ||||||||||
quicretry | Counter of successfully generated QUIC retry packets including a token. | ||||||||||
drop_qnt | Counter of dropped datagrams starting with a QUIC INIT packet (for example, those dropped for containing an invalid token). | ||||||||||
drop_q0t | Counter of dropped datagrams starting with a QUIC 0RTT packet (dropped if new_cook protection is toggled). | ||||||||||
drop_qhs | Counter of dropped datagrams starting with a QUIC handshake packet (dropped because they are not part of an existing session and unmatch protection is enabled). | ||||||||||
drop_qsh | Counter of dropped datagrams starting with a QUIC short header packet (not part of an existing session and unmatch protection is enabled). |
Next up
Network Interfaces