capture_loss should exclude shunted connections

Description

Currently when a connection is shunted, it is not excluded from capture_loss calculation. This has decreased the usefulness of this log in monitoring cluster performance.

Ideally one could signal that a conn has been shunted, but I'm not familiar enough with Bro's internals to make a suggestion on the right mechanism.

Environment

None

Activity

Show:
Justin Azoff
September 5, 2018, 7:09 AM

If you don't care about the connection at all you can call skip_further_processing after shunting which will have bro completely ignore the connection. Just shunting both flows of the connection likely works better, unless you're low on TCAM space.

Basically bro needs something like skip_further_processing that disables capture loss tracking on a per flow basis.

Jon Siwek
September 18, 2018, 6:18 AM
Moved

Assignee

Unassigned

Reporter

Keith Lehigh

Labels

None

External issue ID

None

Components

Affects versions

Priority

Normal