Merge remote-tracking branch 'origin/topic/vlad/caploss_no_traffic'

- Tweaked the Too_Little_Traffic notice message to avoid cluster-specific terminology. * origin/topic/vlad/caploss_no_traffic: Fix scheduling due to network_time being 0 in zeek_init Add test for CaptureLoss::Too_Little_Traffic Add CaptureLoss::Too_Little_Traffic Add CaptureLoss::initial_watch_interval for a quick read on cluster health after startup. Documentation update, reference the threshold variable. [nomail] [skip ci] Whitespace fixes only [nomail] [skip ci]
2025-10-02 06:38:20 +00:00 · 2020-10-12 16:49:01 -07:00 · 2020-10-12 16:49:01 -07:00 · 86e10bfb7e
commit 86e10bfb7e
parent b73cc816e9 4d998742e2
9 changed files with 99 additions and 23 deletions
--- a/17
+++ b/17
@ -37,6 +37,23 @@ New Functionality
 - Added a ``udp-state`` signature condition to enforce matching against
  either "originator" or "responder" flow direction of UDP packets.

+- Improvements to catpure-loss.zeek:
+
+  - A new option, ``CaptureLoss::initial_watch_interval``.  When restarting a
+    Zeek cluster, one usually wants some immediate feedback as to the health of
+    the monitoring via capture loss. However, you previously needed to wait a
+    full ``CaptureLoss::watch_interval``, which defaults to 15 minutes.  The
+    new option specifies the interval for the first-time report.  So the new
+    default behavior provides stats after 1 minute and then after
+    15 minutes afterward.
+
+  - A new notice type, ``CaptureLoss::Too_Little_Traffic``.
+    If a Zeek process sees less than ``CaptureLoss::minimum_acks`` ACKs in a
+    given interval, this notice gets raised.  This can be a useful diagnostic
+    if, for whatever reason, a Zeek process stops seeing traffic, but
+    capture-loss.zeek would have previously only reported that "0 gaps and 0
+    ACKs is 0% loss".
+
 Changed Functionality
 ---------------------