Logging variable question

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Sat, 28 Feb 2015 15:55:33 -0000

Spam detection software, running on the system "master.squid-cache.org",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
@@CONTACT_ADDRESS@@ for details.

Content preview:  Hi, I wonder about the total size variables <st and >st for
   squid logs # <st Sent reply size including HTTP headers # >st Received request
   size including HTTP headers. In the # case of chunked requests the chunked
   encoding metadata # are not included [...] 

Content analysis details:   (7.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.2 STOX_REPLY_TYPE        No description available.
 0.9 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=gcwsg-squid-users%40m.gmane.org;ip=81.174.172.105;r=master.squid-cache.org]
 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                            domains are different
 1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES No description available.
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
 3.5 TO_NO_BRKTS_MSFT       To: misformatted and supposed Microsoft tool

--- Begin Message ---

Subject: Logging variable  question
From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Date: Sat, 28 Feb 2015 15:55:33 -0000
Importance: Normal

Hi,

  I wonder about the total size variables <st and >st for squid logs

# <st   Sent reply size including HTTP headers
# >st   Received request size including HTTP headers. In the
#       case of chunked requests the chunked encoding metadata
#       are not included

I have set the logformat to

logformat squid_mm      %tg %6tr %>a %Ss/%03>Hs %<st %>st %rm %ru %un 
%Sh/%<A %mt

and have 2 cases for which I would like to see the request/reply total data 
size.

Case 1

Just receiving data.  (44073 and 35754 are local and remote ports 
respectively)

28/Feb/2015:15:29:27   5887 192.168.1.17 TCP_TUNNEL/200 8895 45 CONNECT 
opensuse13.suse.home:443 - HIER_DIRECT/opensuse13.suse.home -

opensuse13:~ # grep tunnel /var/log/squid/cache_3.5.log  | grep 44073 | 
egrep readClient | awk '{ rc=rc+$12 }END{print rc"\n"}'
3483
opensuse13:~ # grep tunnel /var/log/squid/cache_3.5.log  | grep 35754 | grep 
readServer | awk '{ rs=rs+$12 }END{print rs"\n"}'
8895

Case 2

Receiving and posting data.

28/Feb/2015:15:38:21  15399 192.168.1.17 TCP_TUNNEL/200 7887 45 CONNECT 
opensuse13.suse.home:443 - HIER_DIRECT/opensuse13.suse.home -

opensuse13:~ # grep tunnel /var/log/squid/cache_3.5.log  | grep 44075 | grep 
readClient | awk '{ rc=rc+$12 }END{print rc"\n"}'
14555
opensuse13:~ # grep tunnel /var/log/squid/cache_3.5.log  | grep 35756 | grep 
readServer | awk '{ rs=rs+$12 }END{print rs"\n"}'
7887

In both cases I see >st is only 45 bytes. But if I look at the debug from 
tunnel.cc  I see quite different numbers for thre read data ( BTW they match 
for <st).

Is this a bug or my wrong interpretation of >st ?

Thank you
Markus 

--- End Message ---
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users