This is an automated email from the ASF dual-hosted git repository.
moonchen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 8e36c28103 net: count application bytes in read_bytes for TLS (#13282)
8e36c28103 is described below
commit 8e36c2810315953af8fca88f5f666ebfb4c5c247
Author: Mo Chen <[email protected]>
AuthorDate: Sat Jun 20 16:01:50 2026 -0500
net: count application bytes in read_bytes for TLS (#13282)
On TLS connections, net.read_bytes was only counting some bytes for the
handshake, and none of the incoming ciphertext. This is neither intuitive
nor consistent with net.write_bytes.
The fix for now is to make it symmetric with net.write_bytes. Count the
plaintext bytes for TLS. This means not counting the handshake bytes.
For a long term fix, I plan to add more comprehensive metrics for TLS.
---
.../monitoring/statistics/core/network-io.en.rst | 19 +++++++++++++++++++
src/iocore/net/SSLNetVConnection.cc | 5 +++--
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
index 56168ab959..f26d51457c 100644
--- a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
+++ b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
@@ -79,10 +79,29 @@ Network I/O
:type: counter
:units: bytes
+ Application-layer bytes read from client and origin connections. For TLS
+ connections this is the decrypted payload, symmetric with ``write_bytes``;
it
+ does not include TLS handshake or record-layer framing.
+
+.. ts:stat:: global proxy.process.net.read_bytes_count integer
+ :type: counter
+
+ The number of read operations that contributed to ``read_bytes``. For TLS
+ connections this is one per decrypted-read pass, not per socket read.
+
.. ts:stat:: global proxy.process.net.write_bytes integer
:type: counter
:units: bytes
+ Application-layer bytes written to client and origin connections. For TLS
+ connections this is the plaintext payload; it does not include TLS handshake
+ or record-layer framing.
+
+.. ts:stat:: global proxy.process.net.write_bytes_count integer
+ :type: counter
+
+ The number of write operations that contributed to ``write_bytes``.
+
.. ts:stat:: global proxy.process.tcp.total_accepts integer
:type: counter
diff --git a/src/iocore/net/SSLNetVConnection.cc
b/src/iocore/net/SSLNetVConnection.cc
index 22702e81fd..ed7bb03cd3 100644
--- a/src/iocore/net/SSLNetVConnection.cc
+++ b/src/iocore/net/SSLNetVConnection.cc
@@ -287,6 +287,9 @@ SSLNetVConnection::_ssl_read_from_net(int64_t &ret)
Dbg(dbg_ctl_ssl, "bytes_read=%" PRId64, bytes_read);
s->vio.ndone += bytes_read;
+ // Decrypted application bytes, to match write_bytes (also plaintext for
TLS).
+ Metrics::Counter::increment(net_rsb.read_bytes, bytes_read);
+ Metrics::Counter::increment(net_rsb.read_bytes_count);
this->netActivity();
ret = bytes_read;
@@ -351,8 +354,6 @@ SSLNetVConnection::read_raw_data()
r = total_read - rattempted + r;
}
}
- Metrics::Counter::increment(net_rsb.read_bytes, r);
- Metrics::Counter::increment(net_rsb.read_bytes_count);
if (!this->haveCheckedProxyProtocol) {
// The PROXY Protocol, by spec, is designed to require only the first TCP
packet of bytes
