Heuristic for sysStatHttpRequests?

Question

We are seeing a lot of connections that are not HTTP and that we don't have an ready explanation for.  I am getting the number for non-HTTP traffic by getting the total new connections from sysStatClientTotConns and then subtracting the HTTP requests that we get from sysStatHttpRequests.&nbsp;
 &nbsp;
In order to figure out what we are seeing, I would like to know what qualifies traffic as HTTP in the F5's SNMP setup? It is anything on port 80?  Or does it look for HTTP headers, or some other criteria?&nbsp;
 &nbsp;
Thanks!&nbsp;

hooleylist · Answer

Hi Matt, 
&nbsp;  
&nbsp; I think the sysStatHttpRequests is counting the HTTP requests to any virtual server with an HTTP profile.  Clients can reuse the same TCP connection to send multiple requests, so I'm not sure you'll be able to get a simple count of non-HTTP connections using these two metrics.  Can you look at virtual servers without an HTTP profile to get the non-HTTP connection counts? 
&nbsp;  
&nbsp; Aaron

matt_m_62913 · Answer

Clients can reuse the same TCP connection to send multiple requests, so I'm not sure you'll be able to get a simple count of non-HTTP connections using these two metrics.
&nbsp;
&nbsp;
Good point, but that would imply that Connections get undercounted compared to HTTP requests. Here's the type of numbers we are seeing:&nbsp;
&nbsp;
New Connections: 14,200 / second&nbsp;
HTTP Requests: 7,948 / second&nbsp;
&nbsp;
Which leaves about 6,200 new connections that are not HTTP, and these servers should not really be seeing any non-HTTP traffic, except for an occasional SSH connection.&nbsp;
&nbsp;
There is a lot of request/response traffic over cURL, but that all goes to port 80, so I was thinking it should be counted in the HTTP totals -- Thus my original question. I will need to take a look at the HTTP profile. FWIW, my prime responsibility is the servers behind the F5 - another person actually manages our F5's.&nbsp;
 &nbsp;
Can you look at virtual servers without an HTTP profile to get the non-HTTP connection counts?
&nbsp;
&nbsp;
Not easily. All the servers behind the F5 are serving HTTP traffic - I don't think we have any virtual servers set up without the HTTP profile, except for the afrementioned SSH traffic, but that totals up to a few connections per day, not per second, so it should not affect the math much at all.&nbsp;

hooleylist · Answer

Someone with admin access to the BIG-IP should be able to check the virtual server connection counts to see which virtual server(s) without an HTTP profile are receiving connections. 
&nbsp;  
&nbsp; Aaron

matt_m_62913 · Answer

OK, it looks like some of our virtual servers are set up as the Performance Layer 4 type, which does not have the HTTP profile option (even though they are handling HTTP traffic).  Is that likely to be the source of the traffic that shows as non-HTTP?  If so, it looks like monitoring the sysStatHttpRequests OID will not be useful for us.

Forum Discussion

Heuristic for sysStatHttpRequests?

4 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Tethering heuristics

Signature-based Analysis -Heuristics/Anomaly-based Analysis

Re: F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

iHealth API to retrieve status of report generation based on Heuristic ID

One of the power supply units is not supplying power.