Know the 5 elements that tell you whether a TCP session is healthy!
As a rule-of-thumb, healthy sessions are identified and referenced by the following 5 KPI’s (Key Performance Indicators) and its thresholds:
- # SYN’s – refers to session starts; should be twice the amount of sessions. This is because of the 3-way handshake SYN | SYN-ACK | ACK (ACK equals Acknowledgment indicating “no errors – please continue”).
- # FIN’s – refers to session endings; should roughly be twice the amount of sessions. This is because in a healthy situation each session ends with a FIN-ACK initiated and confirmed by both, client- and server-side. Roughly because some applications are working with long-lasting sessions. Meaning from time-to-time, the amount of FIN’s might actually be lower than twice the amount of sessions.
- # RST’s – refers to session restarts; should be close to zero indicating a low amount of session resets. Depending on the TCP stack, it could also be an indicator on the amount of session endings; similar to using a FIN-ACK. In particular Microsoft applications running over SSL are well-known for this (mis-)behavior.
- # DupAck’s – refers to packets that are delayed or dropped; should be close to zero indicating a low amount of delayed/lost packets.
- # 0-Win’s – refers to a high system utilization; is expected to be close to zero indicating that the involved hosts are in good shape for processing incoming packets