Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

More stats collection extensions.

Browse source
This commit is contained in:
Seth Hall 2016-01-08 17:03:16 -05:00
parent 6d836b7956
commit 3c71d4ffa8
8 changed files with 47 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

5
scripts/base/init-bare.bro
View file

@ -530,8 +530,9 @@ type MatcherStats: record {
}; };
type TimerStats: record { type TimerStats: record {
num_timers: count; ##< Current number of pending timers. current: count; ##< Current number of pending timers.
max_timers: count; ##< Maximum number of concurrent timers pending so far. max: count; ##< Maximum number of concurrent timers pending so far.
cumulative: count;
}; };
type FileAnalysisStats: record { type FileAnalysisStats: record {

32
scripts/policy/misc/stats.bro
View file

@ -39,6 +39,16 @@ export {
## ICMP connections seen since last stats interval. ## ICMP connections seen since last stats interval.
icmp_conns: count &log; icmp_conns: count &log;
## Number of timers scheduled since last stats interval.
timers: count &log;
## Current number of scheduled timers.
active_timers: count &log;
## Number of files seen since last stats interval.
files: count &log;
## Current number of files actively being seen.
active_files: count &log;
## Current size of TCP data in reassembly. ## Current size of TCP data in reassembly.
reassem_tcp_size: count &log; reassem_tcp_size: count &log;
## Current size of File data in reassembly. ## Current size of File data in reassembly.
@ -74,14 +84,16 @@ event bro_init() &priority=5
Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]); Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
} }
event check_stats(last_ts: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats) event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats, last_ts: TimerStats, last_fs: FileAnalysisStats)
{ {
local now = current_time(); local now = network_time();
local ns = get_net_stats(); local ns = get_net_stats();
local cs = get_conn_stats(); local cs = get_conn_stats();
local ps = get_proc_stats(); local ps = get_proc_stats();
local es = get_event_stats(); local es = get_event_stats();
local rs = get_reassembler_stats(); local rs = get_reassembler_stats();
local ts = get_timer_stats();
local fs = get_file_analysis_stats();
if ( bro_is_terminating() ) if ( bro_is_terminating() )
# No more stats will be written or scheduled when Bro is # No more stats will be written or scheduled when Bro is
@ -90,7 +102,7 @@ event check_stats(last_ts: time, last_ns: NetStats, last_cs: ConnStats, last_ps:
local info: Info = [$ts=now, local info: Info = [$ts=now,
$peer=peer_description, $peer=peer_description,
$mem=ps$mem/1000000, $mem=ps$mem/1048576,
$pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd, $pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd,
$active_tcp_conns=cs$num_tcp_conns, $active_tcp_conns=cs$num_tcp_conns,
@ -106,11 +118,17 @@ event check_stats(last_ts: time, last_ns: NetStats, last_cs: ConnStats, last_ps:
$reassem_unknown_size=rs$unknown_size, $reassem_unknown_size=rs$unknown_size,
$events_proc=es$num_events_dispatched - last_es$num_events_dispatched, $events_proc=es$num_events_dispatched - last_es$num_events_dispatched,
$events_queued=es$num_events_queued - last_es$num_events_queued $events_queued=es$num_events_queued - last_es$num_events_queued,
$timers=ts$cumulative - last_ts$cumulative,
$active_timers=ts$current,
$files=fs$cumulative - last_fs$cumulative,
$active_files=fs$current
]; ];
# Someone's going to have to explain what this is and add a field to the Info record. # Someone's going to have to explain what this is and add a field to the Info record.
# info$util = 100.0*((ps$user_time + ps$system_time) - (last_ps$user_time + last_ps$system_time))/(now-last_ts); # info$util = 100.0*((ps$user_time + ps$system_time) - (last_ps$user_time + last_ps$system_time))/(now-then);
if ( reading_live_traffic() ) if ( reading_live_traffic() )
{ {
@ -122,10 +140,10 @@ event check_stats(last_ts: time, last_ns: NetStats, last_cs: ConnStats, last_ps:
} }
Log::write(Stats::LOG, info); Log::write(Stats::LOG, info);
schedule stats_report_interval { check_stats(now, ns, cs, ps, es, rs) }; schedule stats_report_interval { check_stats(now, ns, cs, ps, es, rs, ts, fs) };
} }
event bro_init() event bro_init()
{ {
schedule stats_report_interval { check_stats(current_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats()) }; schedule stats_report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats()) };
} }

3
src/PriorityQueue.cc
View file

@ -13,7 +13,7 @@ PriorityQueue::PriorityQueue(int initial_size)
{ {
max_heap_size = initial_size; max_heap_size = initial_size;
heap = new PQ_Element*[max_heap_size]; heap = new PQ_Element*[max_heap_size];
peak_heap_size = heap_size = 0; peak_heap_size = heap_size = cumulative_num = 0;
} }
PriorityQueue::~PriorityQueue() PriorityQueue::~PriorityQueue()
@ -62,6 +62,7 @@ int PriorityQueue::Add(PQ_Element* e)
BubbleUp(heap_size); BubbleUp(heap_size);
++cumulative_num;
if ( ++heap_size > peak_heap_size ) if ( ++heap_size > peak_heap_size )
peak_heap_size = heap_size; peak_heap_size = heap_size;

3
src/PriorityQueue.h
View file

@ -4,6 +4,7 @@
#define __PriorityQueue__ #define __PriorityQueue__
#include <math.h> #include <math.h>
#include "util.h"
class PriorityQueue; class PriorityQueue;
@ -53,6 +54,7 @@ public:
int Size() const { return heap_size; } int Size() const { return heap_size; }
int PeakSize() const { return peak_heap_size; } int PeakSize() const { return peak_heap_size; }
uint64 CumulativeNum() const { return cumulative_num; }
protected: protected:
int Resize(int new_size); int Resize(int new_size);
@ -92,6 +94,7 @@ protected:
int heap_size; int heap_size;
int peak_heap_size; int peak_heap_size;
int max_heap_size; int max_heap_size;
uint64 cumulative_num;
}; };
#endif #endif

3
src/Timer.h
View file

@ -109,6 +109,7 @@ public:
virtual int Size() const = 0; virtual int Size() const = 0;
virtual int PeakSize() const = 0; virtual int PeakSize() const = 0;
virtual uint64 CumulativeNum() const = 0;
double LastTimestamp() const { return last_timestamp; } double LastTimestamp() const { return last_timestamp; }
// Returns time of last advance in global network time. // Returns time of last advance in global network time.
@ -148,6 +149,7 @@ public:
int Size() const { return q->Size(); } int Size() const { return q->Size(); }
int PeakSize() const { return q->PeakSize(); } int PeakSize() const { return q->PeakSize(); }
uint64 CumulativeNum() const { return q->CumulativeNum(); }
unsigned int MemoryUsage() const; unsigned int MemoryUsage() const;
protected: protected:
@ -170,6 +172,7 @@ public:
int Size() const { return cq_size(cq); } int Size() const { return cq_size(cq); }
int PeakSize() const { return cq_max_size(cq); } int PeakSize() const { return cq_max_size(cq); }
uint64 CumulativeNum() const { return cq_cumulative_num(cq); }
unsigned int MemoryUsage() const; unsigned int MemoryUsage() const;
protected: protected:

9
src/cq.c
View file

@ -42,6 +42,7 @@ struct cq_handle {
int lowmark; /* low bucket threshold */ int lowmark; /* low bucket threshold */
int nextbucket; /* next bucket to check */ int nextbucket; /* next bucket to check */
int noresize; /* don't resize while we're resizing */ int noresize; /* don't resize while we're resizing */
uint64_t cumulative_num; /* cumulative entries ever enqueued */
double lastpri; /* last priority */ double lastpri; /* last priority */
double ysize; /* length of a year */ double ysize; /* length of a year */
double bwidth; /* width of each bucket */ double bwidth; /* width of each bucket */
@ -175,6 +176,7 @@ cq_enqueue(register struct cq_handle *hp, register double pri,
} }
bp->pri = pri; bp->pri = pri;
bp->cookie = cookie; bp->cookie = cookie;
++hp->cumulative_num;
if (++hp->qlen > hp->max_qlen) if (++hp->qlen > hp->max_qlen)
hp->max_qlen = hp->qlen; hp->max_qlen = hp->qlen;
#ifdef DEBUG #ifdef DEBUG
@ -414,6 +416,13 @@ cq_max_size(struct cq_handle *hp)
return hp->max_qlen; return hp->max_qlen;
} }
uint64_t
cq_cumulative_num(struct cq_handle *hp)
{
return hp->cumulative_num;
}
/* Return without doing anything if we fail to allocate a new bucket array */ /* Return without doing anything if we fail to allocate a new bucket array */
static int static int
cq_resize(register struct cq_handle *hp, register int grow) cq_resize(register struct cq_handle *hp, register int grow)

1
src/cq.h
View file

@ -5,6 +5,7 @@ void *cq_dequeue(struct cq_handle *, double);
void *cq_remove(struct cq_handle *, double, void *); void *cq_remove(struct cq_handle *, double, void *);
int cq_size(struct cq_handle *); int cq_size(struct cq_handle *);
int cq_max_size(struct cq_handle *); int cq_max_size(struct cq_handle *);
uint64_t cq_cumulative_num(struct cq_handle *);
unsigned int cq_memory_allocation(void); unsigned int cq_memory_allocation(void);
#ifdef DEBUG #ifdef DEBUG
void cq_debug(struct cq_handle *, int); void cq_debug(struct cq_handle *, int);

1
src/stats.bif
View file

@ -214,6 +214,7 @@ function get_timer_stats%(%): TimerStats
r->Assign(n++, new Val(unsigned(timer_mgr->Size()), TYPE_COUNT)); r->Assign(n++, new Val(unsigned(timer_mgr->Size()), TYPE_COUNT));
r->Assign(n++, new Val(unsigned(timer_mgr->PeakSize()), TYPE_COUNT)); r->Assign(n++, new Val(unsigned(timer_mgr->PeakSize()), TYPE_COUNT));
r->Assign(n++, new Val(timer_mgr->CumulativeNum(), TYPE_COUNT));
return r; return r;
%} %}