[Bro] Bro performance issues

Justin Azoff JAzoff at albany.edu
Mon Oct 31 06:22:50 PDT 2011

On Sun, Oct 30, 2011 at 11:46:16AM +0200, Tomer Teller wrote:
> Hey all,
> I am testing Bro's performance using tcpreplay for some project of mine.
> I am using a packet capture of 680000 packets using different rates to
> check for packet loss.
> tcpreplay  -i eth0 --mbps=X 680000.pcap (where X = 1000,500,100,10)
> Bro on the other hand, doesn't see all 680000, he sees around 540,000.

As a sanity check, what does bro report if you run it with something
like this:

    'bro -f ip -C -r 680000.pcap your_counter_policy.bro'

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list