[Zeek-Dev] connection $history - 'g' for gap
Justin Azoff
justin at corelight.com
Tue Apr 9 09:35:42 PDT 2019
On Mon, Apr 8, 2019 at 8:13 PM Jim Mellander <jmellander at lbl.gov> wrote:
> It might be valuable to have some (optional) way of accessing the byte
> counts consisting the content gap(s). If the content gap is somewhere in a
> long tail, but DPD still fails, then the explanation could be something
> other than a content gap.
>
> On the other hand, maybe you're just thinking about content gaps at the
> head of a connection before it has been fully analyzed.
>
This is the missed_bytes field:
missed_bytes: count &log &default = 0 &optional
Indicates the number of bytes missed in content gaps, which is
representative of packet loss. A value other than zero will normally cause
protocol analysis to fail but some analysis may have been completed prior
to the packet loss.
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/zeek-dev/attachments/20190409/df2c5fca/attachment.html
More information about the zeek-dev
mailing list