[Bro] Dropping packets - How do I leverage multiple core with BRO?

Veronica Estrada estrada.veronica at gmail.com
Wed Nov 10 23:58:09 PST 2010

Hello BRO professionals,

I am using BRO v 1.5.1 to analyze off-line pcap files. When I run BRO
on 4Gb pcap file, one CPU core always reaches 100% but the server
still has more 15 idle cores.
The analysis uses brolite, dpd and detect-protocols.

I am afraid BRO is loosing packets. By the way, how can I measure
packet dropping?

The capture-loss generates this notice:
no=CaptureLossSummary na=NOTICE_ALARM_ALWAYS msg=estimated\ rate\ \=\
0.0082201 tag=@36-6fb3-4a

Are this events or bytes? WHy indicates tag? I cannot find any
reference to this tag in any of the other logs. By reading the
documentation, it seems you don't recommend this metric.
Instead, I will be happy to know the number of packets that BRO
processed. I cannot find where is this number logged.

Best regards

Veronica Estrada
Nakao's Laboratory
Univ. of Tokyo

More information about the Bro mailing list