Re: [ISSForum] network sensor 7 performance

Johnson, Scott scribed:
> Jacob
> Please pardon my igorance, but I need to have this issue cleared up. Mgt
> is not at all happy with RS and I want to give them accurate
> information. Just to make sure I understand, tcp.misseddata_gaps is not
> counting the number of missing sequence numbers but rather counting an
> event where there are missing sequence numbers related to a session? If
> I see a count of 100 in the tcp.misseddata_gaps parameter the number of
> packets dropped is probably much higher than 100?

Not necessarily.

It is difficult to correlate the number of dropped packets with the
number of gaps detected.

The stat does not detect when packets have been missed, only when
PAM detects that it has missed data.

If the environment is not terribly lossy, 1 gap will _usually_ indicate
1 missed tcp segment (1 missed packet).

If you feel that the packet loss may be occuring at the sensor, I
believe there is a tuning parameter to enable dropped packet notification.
This statistic will not reflect traffic lost due to collisions or
insufficient bandwidth on a spanning port, but it will tell you
if the network sensor is the culprit.  The tuning parameter
should be listed in the network sensor documentation.

Hope this helps,
