/var/adm/messages: DHCP traffic statistics datasheet exposed by DHCPv4 Filtering STREAMS Module via KSTAT infrastructure

Overview

This software is a STREAMS module that subjects BOOTP packets arriving on its read queue according to special filtering algorithm and passes only those packets that the filter accepts on to its upstream consumer – DHCP server process. In such a way the majority of DOS/DDOS attacks and flood don't influence the resources of DHCP server software which lies in user space.

The ORACLE Solaris Operating Environment (OE) kernel provides a set of functions and data structures - named KSTAT - for device drivers and other kernel modules to export module-specific statistics to the outside world. Current software version of DHCPv4 filter supports KSTAT for extracting its statistics about the processed DHCP traffic.

KSTAT instance behavior

DHCPv4 filter software can provide filtering services to many concurrent DHCP server process. Each of them has a separate inbound entry accessible via kstat utility (class net, module dhcpmod).When the instance is unloaded, the entry still remains in the system making the statistical data available for further analysis. Instance state is denoted by field state which can be 0 if filter instance is uninitialized, 1 – if it is running, 2 – if it is stopped, 3 – if it is failed to start.

Statistic counters

Module dhcpmod maintains and reports the following statistics. All statistics are maintained as unsigned. The statistics are 64 bits unless otherwise noted.

buffer errors

Shows how many errors while packet processing took place. Should be always 0.

cache buckets

Shows how many buckets allocated for HASH tables. Large values indicates traffic bursts.

cache errors

Shows how many errors/miss-consistences allocated for HASH tables. Should be always 0.

cache expired

Denotes cache expiration events.

cache hits

Denotes cache hits events. Should be more then cache misses in factor of 10 at least. May be less for the first ten minutes since instance startup.

cache misses

Denotes cache misses (not found) events.

cache records

Shows actual HASH usage. Large values indicates large traffic bursts.

discarded packets

Denotes discard events since instance startup.

discarded packets per sec

Denotes actual discard events rate. The filter effectiveness depends on that value.

discarded rate limit packets

Denotes actual discard events rate limited. Continuously high values means flood presence.

failure packets

Shows how many packet failed to be processed by traffic filter and were passed in to upstream neighbor. Should be always 0.

fragmented IP packets

Number of fragmented IPv4 packets. Such traffic is discarded silently.

input packets

Number of packets received from NIC.

input packets per sec

Rate of packets received from NIC.

invalid BOOTP packets

Number of BOOTP packets that violates RFC 2132. Such traffic is discarded silently.

invalid IP packets

Number of broken IPv4 packets. Such traffic is discarded silently.

invalid UDP packets

Number of broken UDP packets or its check sums. Such traffic is discarded silently.

malformed packets

Total number of the packets that cannot be processed normal due to its corruption or standard non-conformance. Such traffic is discarded silently.

no memory errors

For internal use. Signals not enough memory in system. Should be always 0.

non-def BOOTP cookie packets

Number of broken BOOTP magic cookie packets. Such traffic is discarded silently.

non-def BOOTP type packets

Number of broken BOOTP hardware type packets. Such traffic is discarded silently.

non-def dest port packets

Number of invalid destination packets. Such traffic is discarded silently.

non-def src port packets

Number of invalid source packets. Such traffic is discarded silently.

non-support media type packets

Number of non-IEEE ETHERNET packets. Such traffic is discarded silently.

non-support msg type packets

Number of invalid DHCP message type packets. Such traffic is discarded silently.

overrun packets

Number of oversized packets. Such traffic is discarded silently.

packets without DHCP Option 82

Number of packets which don't include RFC 3046 DHCP Option 82. Such traffic is handled according to custom policies.

passed packets

Denotes successful filter passed through unaltered events since instance startup.

passed packets per sec

Denotes rate of successful filter pass-through events.

underrun packets

Number of oversized packets. Such traffic is discarded silently.

Real-world example of accessing traffic statistics

You can use the command-line tool /usr/bin/kstat interactively to print all or selected KSTAT information about DHCP traffic from the system.

$  kstat -c net -m
dhcpmod

module: dhcpmod        
                instance: 1

name:   inbound        
                class:    net

buffer errors  
                0

cache buckets  
                16384

cache errors   
                0

cache expired  
                1978313

cache hits     
                7263887

cache misses   
                2012974

cache records  
                8381

crtime         
                522.985408215

discarded
packets               3230542

discarded
packets per sec       67

discarded rate
limit packets    3229064

failure packets
                861

fragmented IP
packets           0

input packets  
                27526307

input packets
per sec           268

invalid BOOTP
packets           0

invalid IP
packets              4

invalid UDP
packets             0

malformed
packets               617

no memory
errors                0

non-def BOOTP
cookie packets    2

non-def BOOTP
type packets      0

non-def dest
port packets       0

non-def src
port packets        861

non-support
media type packets  5

non-support msg
type packets    606

overrun packets
                0

packets without
DHCP Option 82  323744

passed packets 
                6048319

passed packets
per sec          44

snaptime       
                160039.377522581

state          
                1

underrun
packets                0

module: dhcpmod        
                instance: 2

name:   inbound        
                class:    net

buffer errors  
                0

cache buckets  
                4

cache errors   
                0

cache expired  
                490

cache hits     
                155

cache misses   
                499

cache records  
                2

crtime         
                522.986099883

discarded
packets               0

discarded
packets per sec       0

discarded rate
limit packets    0

failure packets
                0

fragmented IP
packets           0

input packets  
                658

input packets
per sec           0

invalid BOOTP
packets           0

invalid IP
packets              0

invalid UDP
packets             0

malformed
packets               0

no memory
errors                0

non-def BOOTP
cookie packets    0

non-def BOOTP
type packets      0

non-def dest
port packets       0

non-def src
port packets        0

non-support
media type packets  0

non-support msg
type packets    0

overrun packets
                0

packets without
DHCP Option 82  0

passed packets 
                658

passed packets
per sec          0

snaptime       
                160039.379437423

state          
                1

underrun
packets                0

For viewing one instance separately use -i key followed by instance ID.

$  kstat -c net -m
dhcpmod -i 1

/var/adm/messages

November 14, 2011

DHCP traffic statistics datasheet exposed by DHCPv4 Filtering STREAMS Module via KSTAT infrastructure

No comments:

Post a Comment