From 1b696490d0c152b0c164ec82f47f3ad667e39618 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 8 Oct 2020 09:36:18 -0500 Subject: [PATCH] Whitespace fixes only [nomail] [skip ci] --- scripts/policy/misc/capture-loss.zeek | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/scripts/policy/misc/capture-loss.zeek b/scripts/policy/misc/capture-loss.zeek index 0b827db544..05fdee3011 100644 --- a/scripts/policy/misc/capture-loss.zeek +++ b/scripts/policy/misc/capture-loss.zeek @@ -1,10 +1,10 @@ ##! This script logs evidence regarding the degree to which the packet -##! capture process suffers from measurement loss. -##! The loss could be due to overload on the host or NIC performing -##! the packet capture or it could even be beyond the host. If you are -##! capturing from a switch with a SPAN port, it's very possible that +##! capture process suffers from measurement loss. +##! The loss could be due to overload on the host or NIC performing +##! the packet capture or it could even be beyond the host. If you are +##! capturing from a switch with a SPAN port, it's very possible that ##! the switch itself could be overloaded and dropping packets. -##! Reported loss is computed in terms of the number of "gap events" (ACKs +##! Reported loss is computed in terms of the number of "gap events" (ACKs ##! for a sequence number that's above a gap). @load base/frameworks/notice @@ -13,7 +13,7 @@ module CaptureLoss; export { redef enum Log::ID += { LOG }; - + global log_policy: Log::PolicyHook; redef enum Notice::Type += { @@ -21,7 +21,7 @@ export { ## threshold. Too_Much_Loss }; - + type Info: record { ## Timestamp for when the measurement occurred. ts: time &log; @@ -38,11 +38,11 @@ export { ## Percentage of ACKs seen where the data being ACKed wasn't seen. percent_lost: double &log; }; - + ## The interval at which capture loss reports are created. option watch_interval = 15mins; - - ## The percentage of missed data that is considered "too much" + + ## The percentage of missed data that is considered "too much" ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. @@ -56,7 +56,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) }; return; } - + local now = network_time(); local g = get_gap_stats(); local acks = g$ack_events - last_acks; @@ -65,13 +65,13 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: local info: Info = [$ts=now, $ts_delta=now-last_ts, $peer=peer_description, - $acks=acks, $gaps=gaps, + $acks=acks, $gaps=gaps, $percent_lost=pct_lost]; - + if ( pct_lost >= too_much_loss*100 ) - NOTICE([$note=Too_Much_Loss, + NOTICE([$note=Too_Much_Loss, $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]); - + Log::write(LOG, info); schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) }; }