[Bro] Problem: Bro listening on two ethernet interfaces

Aashish Sharma aashish at uiuc.edu
Thu May 19 07:21:52 PDT 2005

Hi Chistoph, Tim, All: 
(I was waiting to get some information/clarifications but nothing yet) 

Yes, we were/are seeing two very different types of dropped packets notifications :  
1) Initially packets were dropped at the interface but as Tim pointed out, that got fixed and current count is substentially low: 

          RX packets:3550702871 errors:25 dropped:23 overruns:2 frame:2
          RX packets:1577193887 errors:13 dropped:13 overruns:0 frame:0

2) Dropped packets notice in the notice.log files. Example: 

t=1116392591.523558 no=DroppedPackets na=NOTICE_FILE msg=4475\ packets\ dropped\ after\ filtering,\ 21924\ received

Looking at the policy file (netstats.bro) I am inclined to think that these notices are generated because of bro filter. Please correct me here. 

So in short, since we are using direct network feed, right now, I am relying on error count on interfaces which shows a very low number of packet drops.  While with bro we do get dropped packets notices notice.log file which are due to bro filter.

What I cannot answer/understand right now is:

Is there any way I can find out is bro actually dropping packets, if at all ?

> I'll let my co-worker, Aashish Sharma, reply to the specific issue of
> bro dropping packets.  However, there are two corrections we made to
> correct for dropped packets and errors that we were receiving on our
> 1GB fiber interfaces after first installing bro and turning it on.
> First, we set the MTU from 1500 to 9000.
> Second, we set LowLatency=On (i.e. modprobe sk98lin LowLatency=On)
> That second fix is specific to the fiber cards we are using.  After
> these two changes, we are no longer receiving errors on the interfaces.
> Aashish Sharma will follow up with bro specific packet loss answer.
> Thanks,
> Tim
> Christoph Goeldi wrote:
> > Hi Tim
> >
> > Zitat von Tim Brooks <tbrooks at ncsa.uiuc.edu>:
> >
> >>
> >> Ours works fine on linux with the interfaces set in etc/bro.cfg like:
> >>
> >> BRO_CAPTURE_INTERFACE="eth2 eth3"
> >
> >
> > Are you realy sure, that Bro doesn't drop the most of the captured
> > packets?
> >
> > I like to know what Linux version (distro), what Bro version and what
> > interfaces (100Mbit or 1Gbit / manufacturer) do you use?
> >
> > Thank you for your time
> > Christoph
> -- 
> Tim Brooks
> Security Engineer
> National Center for Supercomputing Applications
> 605 East Springfield Avenue   Champaign, IL 61820
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050519/05eb712f/attachment.bin 

More information about the Bro mailing list