Documentation
¶
Overview ¶
Package history analyzes client contact history to compute statistics and find anomalies.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Summary ¶
type Summary struct {
Start, End time.Time // First and last contact analyzed.
Count int // Number of contacts analyzed.
IPCount int // Number of distinct IPs observed.
Splits int // Number of excess references to nonces.
SplitPoints int // Number of distinct nonces with more than 1 reference.
Skips int // Number of points which reference a nonce other than the immediately previous contact.
}
Summary describes the result of analyzing a sequence of contacts made by a single client id.
The Splits, SplitPoints and Skips fields work together to recognize when a machine is restored from backup or cloned:
In normal operation they will all be 0.
When a machine is restored from a backup, restarted from a fixed VM image or otherwise caused to use old FS state, we will count 1 Split and 1 Skip for every restore. We also count 1 SplitPoint for every image that we restore from.
NOTE: All SplitPoints occurring before the time range of contacts we are given are merged together. This this allows us to more accurately count past Splits, but means we might under count SplitPoints.
When a machine is cloned n ways, Splits, SplitPoints and Skips will be counted as we would for n restores. However, we'll also see ~n Skips per poll interval (default poll interval is 5 min). Therefore Skips > Splits is evidence that a machine has been cloned.
Source Files