policy/misc/capture-loss.zeek¶
-
CaptureLoss
¶
This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).
Namespace: | CaptureLoss |
---|---|
Imports: | base/frameworks/notice |
Summary¶
Runtime Options¶
CaptureLoss::too_much_loss : double &redef |
The percentage of missed data that is considered “too much”
when the CaptureLoss::Too_Much_Loss notice should be
generated. |
CaptureLoss::watch_interval : interval &redef |
The interval at which capture loss reports are created. |
Types¶
CaptureLoss::Info : record |
Redefinitions¶
Log::ID : enum |
|
Notice::Type : enum |
Detailed Interface¶
Runtime Options¶
-
CaptureLoss::too_much_loss
¶ Type: double
Attributes: &redef
Default: 0.1
The percentage of missed data that is considered “too much” when the
CaptureLoss::Too_Much_Loss
notice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.
Types¶
-
CaptureLoss::Info
¶ Type: - ts:
time
&log
Timestamp for when the measurement occurred.
- ts_delta:
interval
&log
The time delay between this measurement and the last.
- peer:
string
&log
In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.
- gaps:
count
&log
Number of missed ACKs from the previous measurement interval.
- acks:
count
&log
Total number of ACKs seen in the previous measurement interval.
- percent_lost:
double
&log
Percentage of ACKs seen where the data being ACKed wasn’t seen.
- ts: