How ExtraHop Calculates Unanswered SYNs



Hello All,

An interesting question was Asked about a specific ExtraHop metric. I want to know How the EH decides the SYNs Unanswered. Is there a specific timeout when it is reported that the SYN is unanswered?

This is specific to the Device L4 metric - Unanswered SYNs:


For this particular metric, we increment the counter if we observe a SYN transmitted, and then the next thing we observe is the client sending the SYN again.

Note that sometimes after the second SYN, we may see a server respond with a SYN+ACK. Other times, we won’t. But in both of those cases, the “Unanswered SYNs” counter is incremented.