capture-loss.zeek¶

CaptureLoss¶

This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).

Namespace:	CaptureLoss
Imports:	base/frameworks/notice

Summary¶

Runtime Options¶

`CaptureLoss::too_much_loss`: `double` `&redef`	The percentage of missed data that is considered “too much” when the `CaptureLoss::Too_Much_Loss` notice should be generated.
`CaptureLoss::watch_interval`: `interval` `&redef`	The interval at which capture loss reports are created.

Types¶

CaptureLoss::Info: record

Redefinitions¶

`Log::ID`: `enum`
`Notice::Type`: `enum`

Detailed Interface¶

Runtime Options¶

CaptureLoss::too_much_loss¶

Type:	`double`
Attributes:	`&redef`
Default:	`0.1`

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.

CaptureLoss::watch_interval¶

Type:	`interval`
Attributes:	`&redef`
Default:	`15.0 mins`

The interval at which capture loss reports are created.

Types¶

CaptureLoss::Info¶

Type:

record

ts: time &log: Timestamp for when the measurement occurred.
ts_delta: interval &log: The time delay between this measurement and the last.
peer: string &log: In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.
gaps: count &log: Number of missed ACKs from the previous measurement interval.
acks: count &log: Total number of ACKs seen in the previous measurement interval.
percent_lost: double &log: Percentage of ACKs seen where the data being ACKed wasn’t seen.