In this episode, Richard Bejtlich explains how to determine if your Zeek deployment suffers from capture loss. There are many causes for capture loss (including an overloaded span port, NIC, or monitoring system), but the end result is the same: unfortunate gaps in the record of network data you’re trying to collect. Happily though, you can use a clever script included with Zeek itself to understand if your deployment has a problem with capture loss. In the process of explaining how the script does its work, Richard also reviews some of the basics of TCP sequence numbering, the FTP protocol, and the editcap tool for modifying packet traces.
If you would like to discuss the video, or consider creating one yourself, please visit the Zeek community Slack workspace and join the #documentation channel.