capture-loss.zeek

CaptureLoss

This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).

Namespace:: CaptureLoss
Imports:: base/frameworks/notice

Summary

Runtime Options

`CaptureLoss::initial_watch_interval`: `interval` `&redef`	For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.
`CaptureLoss::minimum_acks`: `count` `&redef`	The minimum number of ACKs expected for a single peer in a watch interval.
`CaptureLoss::too_much_loss`: `double` `&redef`	The percentage of missed data that is considered “too much” when the `CaptureLoss::Too_Much_Loss` notice should be generated.
`CaptureLoss::watch_interval`: `interval` `&redef`	The interval at which capture loss reports are created in a running cluster (that is, after the first report).

Types

CaptureLoss::Info: record

Redefinitions

`Log::ID`: `enum`	`CaptureLoss::LOG`
`Notice::Type`: `enum`	`CaptureLoss::Too_Little_Traffic`: Report if the traffic seen by a peer within a given watch interval is less than `CaptureLoss::minimum_acks`. `CaptureLoss::Too_Much_Loss`: Report if the detected capture loss exceeds the percentage threshold defined in `CaptureLoss::too_much_loss`.

Hooks

CaptureLoss::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

CaptureLoss::initial_watch_interval 

Type:: interval
Attributes:: &redef
Default:: 1.0 min

For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.

CaptureLoss::minimum_acks 

Type:: count
Attributes:: &redef
Default:: 1

The minimum number of ACKs expected for a single peer in a watch interval. If the number seen is less than this, CaptureLoss::Too_Little_Traffic is raised.

CaptureLoss::too_much_loss 

Type:: double
Attributes:: &redef
Default:: 0.1

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.

CaptureLoss::watch_interval 

Type:: interval
Attributes:: &redef
Default:: 15.0 mins

The interval at which capture loss reports are created in a running cluster (that is, after the first report).

Types

CaptureLoss::Info 

Type:

record

Fields:

ts: time &log: Timestamp for when the measurement occurred.

ts_delta: interval &log: The time delay between this measurement and the last.

peer: string &log: In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.

gaps: count &log: Number of missed ACKs from the previous measurement interval.

acks: count &log: Total number of ACKs seen in the previous measurement interval.

percent_lost: double &log: Percentage of ACKs seen where the data being ACKed wasn’t seen.

Hooks

CaptureLoss::log_policy 

Type:: Log::PolicyHook