Ask Your Question
0

What does KO mean in HTTP Load Distribution Statistics?

asked 2023-11-13 18:30:04 +0000

KDC gravatar image

updated 2023-11-13 18:32:39 +0000

If I look under Statistics, HTTP, Load Distribution I have HTTP Responses by Server Address, a server, IP, and then OK and KO columns. What does the KO mean. I can't find a reference to it anywhere.

Thank you,

Dave

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-11-13 20:04:36 +0000

Guy Harris gravatar image

updated 2023-11-15 00:51:20 +0000

What does the KO mean.

As @Chuckc's response suggests, it means "not OK". I might suggest that a better string should be chosen, as you shouldn't have had to ask this question; the fact that you did suggests that "KO" is not a particularly obvious choice for that column's value, and should perhaps be reconsidered.

If you agree, please file an issue on the Wireshark issue list.

As the code in @Chuckc's response indicates, a "not OK" response value is one that's either 100 or less, or 400 or more. Section 6 "Response Status Codes" of RFC 7231 "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content" describes the status codes, which are what that code is testing. It indicates that:

  • codes from 100 to 199 are "informational", meaning that the request was accepted and the process of responding to it is continuing;
  • codes from 200 to 299 indicate that "the request was successfully received, understood, and accepted";
  • codes from 300 to 399 indicate that "further action needs to be taken in order to complete the request";
  • codes from 400 to 499 indicate that "the request contains bad syntax or cannot be fulfilled";
  • codes from 500 to 599 indicate that "the server failed to fulfill an apparently valid request".

Values less than 100 or greater than 599 are not documented there.

So the idea is that codes from 100 to 399 indicate that the request was either successful or hasn't failed yet ("OK"). Requests from 400 up indicate that the request was not successful ("KO").

As for @Chuckc's comment "Not sure why it doesn't include 100 as good response.", 100 is described in section 6.2.1 "100 Continue" as meaning that "the initial part of a request has been received and has not yet been rejected by the server. The server intends to send a final response after the request has been fully received and acted upon." I'm not sure why this is considered "not OK"; perhaps what was intended for "OK" is (i>=100)&&(i<400), meaning "in the range beginning at 100 and ending just before 400.

Chuck, you should probably file an issue on this.

UPDATE: I've checked changes into the main and 4.2 branch to 1) treat 100 as OK and 2) report errors as "Error" rather than "KO", so the 4.2.x releases should work that way.

edit flag offensive delete link more

Comments

@Guy Harris Thanks for the clarification. There seems to be no documentation on this. I even looked in a few books on Wireshark and they mention the feature but no breakdown of what you are actually looking at.

In my case I was trying to hunt down HTTP requests that were getting no response from the server. I wonder if they would be listed as KO's or just HTTP fault codes are recorded that way.

Thanks again!

Dave

KDC gravatar imageKDC ( 2023-11-14 17:18:31 +0000 )edit

In my case I was trying to hunt down HTTP requests that were getting no response from the server. I wonder if they would be listed as KO's or just HTTP fault codes are recorded that way.

They wouldn't be listed as "KO" - or, in the current main branch and the upcoming 4.2.0 release, "Error" - as that's based on the error code. If the dissector checks for requests with no responses, it should probably show those as "No response".

Guy Harris gravatar imageGuy Harris ( 2023-11-15 00:53:07 +0000 )edit
0

answered 2023-11-13 19:12:03 +0000

Chuckc gravatar image

updated 2023-11-13 19:18:29 +0000

Not sure why it doesn't include 100 as good response.

Everything outside the range is an error?

epan/dissectors/packet-http.c:

    int i = v->response_code;
...
        if ( (i>100)&&(i<400) ) {
            tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
        } else {
            tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
        }

You can compare the counts by looking at the response codes:

http.response.code <101 or http.response.code > 399

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-11-13 18:30:04 +0000

Seen: 1,028 times

Last updated: Nov 15 '23