packetbeat/protos/tcp: add metrics for TCP header flags (elastic#36975)

Scholar-Li · Feb 5, 2024 · 4158d11 · 4158d11
1 parent 6a5118b
commit 4158d11
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -231,6 +231,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 *Packetbeat*
 
+- Add metrics for TCP flags. {issue}36992[36992] {pull}36975[36975]
 
 *Packetbeat*
 

diff --git a/packetbeat/docs/protocol-metrics-packetbeat.asciidoc b/packetbeat/docs/protocol-metrics-packetbeat.asciidoc
@@ -33,6 +33,16 @@ observe the activity of Packetbeat for the monitored protocol.
 | `tcp.dropped_because_of_gaps` | Number of packets dropped because of gaps.
 | `arrival_period`              | Histogram of the elapsed time between packet arrivals.
 | `processing_time`             | Histogram of the elapsed time between packet receipt and publication.
+| `fin_flags_total`             | Number of TCP FIN (finish) flags observed.
+| `syn_flags_total`             | Number of TCP SYN (synchronization) flags observed.
+| `rst_flags_total`             | Number of TCP RST (reset) flags observed.
+| `psh_flags_total`             | Number of TCP PSH (push) flags observed.
+| `ack_flags_total`             | Number of TCP ACK (acknowledgement) flags observed.
+| `urg_flags_total`             | Number of TCP URG (urgent) flags observed.
+| `ece_flags_total`             | Number of TCP ECE (ECN echo) flags observed.
+| `cwr_flags_total`             | Number of TCP CWR (congestion window reduced) flags observed.
+| `ns_flags_total`              | Number of TCP NS (nonce sum) flags observed.
+| `received_headers_total`      | Number of headers observed, including unprocessed packets.
 |=======
 
 

diff --git a/packetbeat/protos/tcp/tcp.go b/packetbeat/protos/tcp/tcp.go
@@ -100,6 +100,8 @@ func (tcp *TCP) removalListener(_ common.Key, value common.Value) {
 func (tcp *TCP) Process(id *flows.FlowID, tcphdr *layers.TCP, pkt *protos.Packet) {
 	tcp.expiredConns.notifyAll()
 
+	tcp.metrics.logFlags(tcphdr)
+
 	stream, created := tcp.getStream(pkt)
 	if stream.conn == nil {
 		return
@@ -392,6 +394,11 @@ type inputMetrics struct {
 
 	lastPacket time.Time
 
+	// TCP flag counts.
+	fin, syn, rst, psh, ack, urg, ece, cwr, ns *monitoring.Uint
+	// Total number of headers, including zero length packets.
+	headers *monitoring.Uint
+
 	device         *monitoring.String // name of the device being monitored
 	packets        *monitoring.Uint   // number of packets processed
 	bytes          *monitoring.Uint   // number of bytes processed
@@ -418,6 +425,16 @@ func newInputMetrics(id, device string, ports map[uint16]protos.Protocol) *input
 		packets:        monitoring.NewUint(reg, "received_events_total"),
 		bytes:          monitoring.NewUint(reg, "received_bytes_total"),
 		overlapped:     monitoring.NewUint(reg, "tcp_overlaps"),
+		fin:            monitoring.NewUint(reg, "fin_flags_total"),
+		syn:            monitoring.NewUint(reg, "syn_flags_total"),
+		rst:            monitoring.NewUint(reg, "rst_flags_total"),
+		psh:            monitoring.NewUint(reg, "psh_flags_total"),
+		ack:            monitoring.NewUint(reg, "ack_flags_total"),
+		urg:            monitoring.NewUint(reg, "urg_flags_total"),
+		ece:            monitoring.NewUint(reg, "ece_flags_total"),
+		cwr:            monitoring.NewUint(reg, "cwr_flags_total"),
+		ns:             monitoring.NewUint(reg, "ns_flags_total"),
+		headers:        monitoring.NewUint(reg, "received_headers_total"),
 		dropped:        monitoring.NewInt(reg, "tcp.dropped_because_of_gaps"), // Name and type retained for compatibility.
 		arrivalPeriod:  metrics.NewUniformSample(1024),
 		processingTime: metrics.NewUniformSample(1024),
@@ -450,6 +467,41 @@ func portList(m map[uint16]protos.Protocol) string {
 	return strings.Join(s, "-")
 }
 
+// logFlags logs flag metric for the given packet header.
+func (m *inputMetrics) logFlags(hdr *layers.TCP) {
+	if m == nil {
+		return
+	}
+	m.headers.Add(1)
+	if hdr.FIN {
+		m.fin.Add(1)
+	}
+	if hdr.SYN {
+		m.syn.Add(1)
+	}
+	if hdr.RST {
+		m.rst.Add(1)
+	}
+	if hdr.PSH {
+		m.psh.Add(1)
+	}
+	if hdr.ACK {
+		m.ack.Add(1)
+	}
+	if hdr.URG {
+		m.urg.Add(1)
+	}
+	if hdr.ECE {
+		m.ece.Add(1)
+	}
+	if hdr.CWR {
+		m.cwr.Add(1)
+	}
+	if hdr.NS {
+		m.ns.Add(1)
+	}
+}
+
 // log logs metric for the given packet.
 func (m *inputMetrics) log(pkt *protos.Packet) {
 	if m == nil {