policy/misc/capture-loss.zeek

CaptureLoss

This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).

Namespace

CaptureLoss

Imports

base/frameworks/notice

Summary

Runtime Options

CaptureLoss::initial_watch_interval: interval &redef

For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.

CaptureLoss::minimum_acks: count &redef

The minimum number of ACKs expected for a single peer in a watch interval.

CaptureLoss::too_much_loss: double &redef

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated.

CaptureLoss::watch_interval: interval &redef

The interval at which capture loss reports are created in a running cluster (that is, after the first report).

Types

CaptureLoss::Info: record

Redefinitions

Log::ID: enum

Notice::Type: enum

Hooks

CaptureLoss::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

CaptureLoss::initial_watch_interval
Type

interval

Attributes

&redef

Default

1.0 min

For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.

CaptureLoss::minimum_acks
Type

count

Attributes

&redef

Default

1

The minimum number of ACKs expected for a single peer in a watch interval. If the number seen is less than this, CaptureLoss::Too_Little_Traffic is raised.

CaptureLoss::too_much_loss
Type

double

Attributes

&redef

Default

0.1

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.

CaptureLoss::watch_interval
Type

interval

Attributes

&redef

Default

15.0 mins

The interval at which capture loss reports are created in a running cluster (that is, after the first report).

Types

CaptureLoss::Info
Type

record

ts: time &log

Timestamp for when the measurement occurred.

ts_delta: interval &log

The time delay between this measurement and the last.

peer: string &log

In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.

gaps: count &log

Number of missed ACKs from the previous measurement interval.

acks: count &log

Total number of ACKs seen in the previous measurement interval.

percent_lost: double &log

Percentage of ACKs seen where the data being ACKed wasn’t seen.

Hooks

CaptureLoss::log_policy
Type

Log::PolicyHook