[Zeek-Dev] connection $history - 'g' for gap
Seth Hall
seth at corelight.com
Tue Apr 9 04:36:21 PDT 2019
I think it would be useful. I can't believe we hadn't already thought of adding that!
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
> On Apr 8, 2019, at 10:02 PM, Vern Paxson <vern at corelight.com> wrote:
>
> I'm finding it would be handy to be able to glance at a connection log line
> and know that the analysis for the connection experienced a content gap.
> For example, this can immediately explain why DPD failed to identify a
> known server.
>
> Proposal: add 'g'/'G' connection history values, scaled in the same
> exponential way as for 'c', 't' and 'w'.
>
> Any thoughts/objections before I go ahead and implement this?
>
> Vern
> _______________________________________________
> zeek-dev mailing list
> zeek-dev at zeek.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
More information about the zeek-dev
mailing list