This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).
||The percentage of missed data that is considered “too much”
||The interval at which capture loss reports are created.|
The percentage of missed data that is considered “too much” when the
CaptureLoss::Too_Much_Lossnotice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.
Timestamp for when the measurement occurred.
The time delay between this measurement and the last.
In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.
Number of missed ACKs from the previous measurement interval.
Total number of ACKs seen in the previous measurement interval.
Percentage of ACKs seen where the data being ACKed wasn’t seen.