[Zeek-Dev] connection $history - 'g' for gap
Jim Mellander
jmellander at lbl.gov
Mon Apr 8 17:05:50 PDT 2019
It might be valuable to have some (optional) way of accessing the byte
counts consisting the content gap(s). If the content gap is somewhere in a
long tail, but DPD still fails, then the explanation could be something
other than a content gap.
On the other hand, maybe you're just thinking about content gaps at the
head of a connection before it has been fully analyzed.
On Mon, Apr 8, 2019 at 1:09 PM Vern Paxson <vern at corelight.com> wrote:
> I'm finding it would be handy to be able to glance at a connection log line
> and know that the analysis for the connection experienced a content gap.
> For example, this can immediately explain why DPD failed to identify a
> known server.
>
> Proposal: add 'g'/'G' connection history values, scaled in the same
> exponential way as for 'c', 't' and 'w'.
>
> Any thoughts/objections before I go ahead and implement this?
>
> Vern
> _______________________________________________
> zeek-dev mailing list
> zeek-dev at zeek.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/zeek-dev/attachments/20190408/da2e8930/attachment.html
More information about the zeek-dev
mailing list