TCP Connection Monitoring

TCP connections are a vital indicator of your server's network health and can reveal everything from normal traffic patterns to potential security threats. Server Scout's TCP connection monitoring provides insights into connection states, helping you identify issues before they impact performance.

Enabling TCP Connection Monitoring

To start monitoring TCP connections, you'll need to enable the tcp_connections metric in your Server Scout agent configuration:

1. Open your agent configuration file (typically /opt/scout-agent/agent.env.yml)
2. Add or uncomment the following line in the metrics section:

``yaml metrics: - tcp_connections ``

1. Restart the Server Scout agent:

``bash sudo systemctl restart scout-agent ``

The agent will begin collecting connection data within the next monitoring cycle.

How Connection Counting Works

Server Scout's agent counts ESTABLISHED TCP connections by parsing /proc/net/tcp and /proc/net/tcp6 files on Linux systems. These pseudo-files contain real-time information about all TCP connections on your server.

The agent specifically looks for connections in the ESTABLISHED state (state code 01 in /proc/net/tcp), which represents active, fully-connected TCP sessions. This gives you an accurate count of current network activity without including transitional states like TIMEWAIT or SYNSENT.

You can manually inspect this data yourself:

# View current TCP connections
cat /proc/net/tcp | awk '$4=="01"' | wc -l

# Or use netstat for a more readable format
netstat -tn | grep ESTABLISHED | wc -l

Understanding Connection Patterns

TCP connection counts reveal several important aspects of your server's behaviour:

Normal Traffic Patterns: Web servers typically show predictable connection patterns that correlate with user activity. Database servers might maintain steady connection pools, whilst application servers may exhibit spiky patterns during batch processing.

Connection Leaks: Applications that don't properly close connections will show gradually increasing connection counts over time. This often indicates coding issues or misconfigured connection pooling.

DDoS Indicators: Sudden spikes in connection counts, especially when combined with high network throughput, can indicate distributed denial-of-service attacks or unusual traffic surges.

Resource Exhaustion: Systems approaching their connection limits (often around 65,535 per IP) will show consistently high connection counts, potentially leading to service degradation.

Viewing Connection Trends

Navigate to your server's detail page in the Server Scout dashboard to view TCP connection trends. The connection graph displays:

• Historical connection counts over your selected time period
• Peak and average connection levels
• Correlation with other metrics like CPU usage and network throughput

Look for patterns such as:

• Daily/weekly cycles that match expected usage
• Gradual increases suggesting connection leaks
• Sharp spikes indicating traffic surges or attacks

Setting Up Connection Alerts

Proactive monitoring requires alerts for abnormal connection behaviour:

1. Go to your server's alert configuration page
2. Create a new alert rule for "TCP Connections"
3. Set thresholds based on your server's normal patterns:

- Warning threshold: 150% of normal peak connections - Critical threshold: 200% of normal peak connections

1. Configure notification preferences (email, Slack, etc.)

For servers with highly variable traffic, consider using rate-of-change alerts instead of absolute thresholds to catch sudden spikes.

Troubleshooting with Combined Metrics

TCP connection data becomes most valuable when analysed alongside network throughput metrics. Common troubleshooting scenarios include:

High connections, low throughput: Suggests many idle connections or connection exhaustion attacks. Check for application connection leaks or implement connection limits.

High throughput, normal connections: Indicates efficient connection reuse or large data transfers per connection. Generally positive, but monitor for sustained periods that might indicate data exfiltration.

Sudden spikes in both: Classic DDoS pattern. Cross-reference with server logs and consider implementing rate limiting.

By combining TCP connection monitoring with Server Scout's other network metrics, you'll gain comprehensive visibility into your server's network behaviour and can respond quickly to both performance issues and security threats.