When there is a sudden change in the data sent to the PCA, a traffic loss may result... but this problem can be difficult to diagnose with the existing PCA statistics.

In many cases a change in trend is more important than a metric by itself... for example, a certain number of alien packets or Diffie Helman ciphers might be normal noise, but a sudden jump in these ratios may indicate a serious problem.

Several ideas to help with diagnosing traffic drop-offs:

* Better SSL decoding metrics:

** Track the % unknown ciphers and raise an alarm if it exceeds a threshold
** Track the % DH ciphers and raise an alarm if it exceeds a threshold
** Track the % failed SSL negotiations and raise an alarm if it exceeds a threshold

* Better detection of changes in traffic:

** Track %traffic on the top 10 ports + others, raise an alarm if there is a sudden change
** Track health metrics on top 10 hosts + others (%DH seen, %alien, %dropped packet connections, %aged connections) raise an alarm if there is a sudden change
** Survey of top 10 most commonly seen ciphers, + others

* Access to commonly helpful commands:

** SAR (for System Activity Report
** More filtering for TCPDump (by host, port, etc.)

These changes will be particularly helpful when traffic from multiple hosts and networks is arriving... as for example it may surface a problem on a particular host that might be visible in the overall statistics.