[Bro] Dropping packets - How do I leverage multiple core with BRO?

Vern Paxson vern at icir.org
Thu Nov 11 09:21:18 PST 2010


> I am using BRO v 1.5.1 to analyze off-line pcap files. When I run BRO
> on 4Gb pcap file, one CPU core always reaches 100% but the server
> still has more 15 idle cores.

Right, because unless you set up a cluster, Bro runs as a single process.

> I am afraid BRO is loosing packets. By the way, how can I measure
> packet dropping?

It will not lose packets when reading from a trace off-line.

> The capture-loss generates this notice:
> no=CaptureLossSummary na=NOTICE_ALARM_ALWAYS msg=estimated\ rate\ \=\
> 0.0082201 tag=@36-6fb3-4a

That's its estimate of what was lost during the original packet capture
(i.e., the recording of the trace).

> Are this events or bytes?

Unless you redef CaptureLoss::report_byte_based_estimates=T, the estimates
are events.

> WHy indicates tag?

The tag is for use when operating a cluster; you can ignore it here.

> By reading the
> documentation, it seems you don't recommend this metric.

Right - events are more reliable than byte-based loss estimations.

> Instead, I will be happy to know the number of packets that BRO
> processed. I cannot find where is this number logged.

This isn't reported, but per the above, it will be the entire trace file
without any loss during its reading of it.

		Vern


More information about the Bro mailing list