[Bro] strange dropped packets issue

William L. Jones jones at tacc.utexas.edu
Tue Nov 3 15:03:28 PST 2009

Is your bro running on a linux platform? 

Bill Jones

-----Original Message-----
From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Justin Azoff
Sent: Tuesday, November 03, 2009 3:52 PM
To: bro at ICSI.Berkeley.EDU
Subject: [Bro] strange dropped packets issue

I've been trying to enable drop-adapt, but I've run into a really odd issue
with dropped packets.

Things start out working fine, but then as soon as any packets are dropped it
goes all the way back up to Level 10 and stays there:

Nov  3 15:49:55 switched to LoadLevel9
Nov  3 15:52:25 switched to LoadLevel8
Nov  3 15:54:55 switched to LoadLevel7
Nov  3 15:57:25 switched to LoadLevel6
Nov  3 15:59:55 switched to LoadLevel5
Nov  3 16:01:55 switched to LoadLevel6
Nov  3 16:02:45 switched to LoadLevel7
Nov  3 16:03:35 switched to LoadLevel8
Nov  3 16:04:25 switched to LoadLevel9
Nov  3 16:05:15 switched to LoadLevel10

netstats will then show dropped increasing at about 80% the rate of recvd.

The odd part is if I run capstats with the -f option corresponding to the Level
10 filter and run netstats in 10 seconds intervals, the pkts= matches up almost

So it seems that Bro isn't actually dropping any packets, but it thinks it is.
If I restart bro, it goes right back to 0 dropped packets.

I think I'm running into some sort of libpcap issue on Linux, but I'm not sure.
It seems everything goes wrong as soon as it starts changing the capture filter
once packets are dropped.  Though it might just be that things go wrong once
packets are dropped in general, but I don't really know how to test that.

-- Justin Azoff
-- Network Performance Analyst
Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list