Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Whitespace fixes only [nomail] [skip ci]

Browse source
This commit is contained in:
Vlad Grigorescu 2020-10-08 09:36:18 -05:00
parent d2f260c168
commit 1b696490d0
1 changed files with 15 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

30
scripts/policy/misc/capture-loss.zeek
View file

@ -1,10 +1,10 @@
##! This script logs evidence regarding the degree to which the packet ##! This script logs evidence regarding the degree to which the packet
##! capture process suffers from measurement loss. ##! capture process suffers from measurement loss.
##! The loss could be due to overload on the host or NIC performing ##! The loss could be due to overload on the host or NIC performing
##! the packet capture or it could even be beyond the host. If you are ##! the packet capture or it could even be beyond the host. If you are
##! capturing from a switch with a SPAN port, it's very possible that ##! capturing from a switch with a SPAN port, it's very possible that
##! the switch itself could be overloaded and dropping packets. ##! the switch itself could be overloaded and dropping packets.
##! Reported loss is computed in terms of the number of "gap events" (ACKs ##! Reported loss is computed in terms of the number of "gap events" (ACKs
##! for a sequence number that's above a gap). ##! for a sequence number that's above a gap).
@load base/frameworks/notice @load base/frameworks/notice
@ -13,7 +13,7 @@ module CaptureLoss;
export { export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
global log_policy: Log::PolicyHook; global log_policy: Log::PolicyHook;
redef enum Notice::Type += { redef enum Notice::Type += {
@ -21,7 +21,7 @@ export {
## threshold. ## threshold.
Too_Much_Loss Too_Much_Loss
}; };
type Info: record { type Info: record {
## Timestamp for when the measurement occurred. ## Timestamp for when the measurement occurred.
ts: time &log; ts: time &log;
@ -38,11 +38,11 @@ export {
## Percentage of ACKs seen where the data being ACKed wasn't seen. ## Percentage of ACKs seen where the data being ACKed wasn't seen.
percent_lost: double &log; percent_lost: double &log;
}; };
## The interval at which capture loss reports are created. ## The interval at which capture loss reports are created.
option watch_interval = 15mins; option watch_interval = 15mins;
## The percentage of missed data that is considered "too much" ## The percentage of missed data that is considered "too much"
## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
## generated. The value is expressed as a double between 0 and 1 with 1 ## generated. The value is expressed as a double between 0 and 1 with 1
## being 100%. ## being 100%.
@ -56,7 +56,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) }; schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
return; return;
} }
local now = network_time(); local now = network_time();
local g = get_gap_stats(); local g = get_gap_stats();
local acks = g$ack_events - last_acks; local acks = g$ack_events - last_acks;
@ -65,13 +65,13 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
local info: Info = [$ts=now, local info: Info = [$ts=now,
$ts_delta=now-last_ts, $ts_delta=now-last_ts,
$peer=peer_description, $peer=peer_description,
$acks=acks, $gaps=gaps, $acks=acks, $gaps=gaps,
$percent_lost=pct_lost]; $percent_lost=pct_lost];
if ( pct_lost >= too_much_loss*100 ) if ( pct_lost >= too_much_loss*100 )
NOTICE([$note=Too_Much_Loss, NOTICE([$note=Too_Much_Loss,
$msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]); $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]);
Log::write(LOG, info); Log::write(LOG, info);
schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) }; schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
} }