All Apps and Add-ons

How to detect TCP Connection time_taken, TCP Connection Refused, and TCP Connection Timed out with Splunk Stream?

haley_swarnapat
Path Finder

I have several questions regarding Splunk Stream for TCP protocol:

  1. How to measure time_taken for TCP Connection establishment between TCP SYN and SYN-ACK using Splunk Stream?
  2. How to detect TCP Connection Refused? How to measure the time_taken for it?
  3. Can we detect TCP Connection Timed Out or when the client decides to cancel the TCP Connection request?

Many thanks before,
Haley

0 Karma
1 Solution

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hello @haley_swarnapati,

1) Stream doesn't specifically calculate handshake time (SYN-ACK time - SYN time)

2) and 3): check for tcp_status filed values as follows: 0 - connection established; 1 - connection refused (with RST); 2 - connection ignored by the server/timed out

View solution in original post

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hello @haley_swarnapati,

1) Stream doesn't specifically calculate handshake time (SYN-ACK time - SYN time)

2) and 3): check for tcp_status filed values as follows: 0 - connection established; 1 - connection refused (with RST); 2 - connection ignored by the server/timed out

0 Karma

haley_swarnapat
Path Finder

Thanks for your answer!

Btw, is there any roadmap to measure the handshake time?

We are facing firewall performance issue here, that sometimes it takes around 1000 milliseconds just to create a new tcp connection. The problem is we need to show evidence how often does it occur, how long, and when precisely?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...