[Bro] Linux Kernel dropping a lot of packets

Randolph Reitz rreitz at fnal.gov
Tue Mar 13 12:23:59 PDT 2007

At this point, I remembered Jason Lee's advice to tune the Linux  
kernel.  He suggested this link

So I did ...

[root at rhyolite bro-1.2.1]# cat /proc/sys/net/core/rmem_default
[root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/ 
[root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/rmem_max
[root at rhyolite bro-1.2.1]# echo 10000 > /proc/sys/net/core/ 
[root at rhyolite bro-1.2.1]# /sbin/sysctl net.core.rmem_max
net.core.rmem_max = 33554432

OK, this looks like progress.  I tried the same tcpdump as above.   
Now I see ...

121 packets captured
149216 packets received by filter
121673 packets dropped by kernel

Before the 'tune', the kernel was dropping 99.8%.  After the tune,  
it's dropping 81.5%.  Not much better.  No fair to suggest I drop  
Linux for FreeBSD!


Please ignore the previous email with this subject.

The kernel 'tuning' above seems to be working.  Bro is now running  
and the logs are filling up.  Bro is consuming 100% of one CPU.

Randy Reitz
Computer Security Team

