[Bro] Bro 2.0 packets dropped

Machiel van Veen mvv at sentia.nl
Fri Feb 3 07:18:29 PST 2012

On Friday 03 February 2012 14:52:11 Seth Hall wrote:
> On Feb 3, 2012, at 8:38 AM, Machiel van Veen wrote:
> > Besides tuning the receive buffer and queue length is there anything else
> > I can do about this?
> >
> > worker-1: 1328274953.996680 recvd=129059158 dropped=114860 link=129174018
> > worker-2: 1328274954.197859 recvd=129059218 dropped=115120 link=129174338
> > worker-3: 1328274954.397642 recvd=129052866 dropped=122170 link=129175036
> Are you monitoring 3 separate links on three interfaces?  I'm a little
>  suspicious that you may be monitoring the same traffic three separate
>  times.  You will need to load balance the traffic across those three
>  workers if it's a single interface (I'm working on automating this now).

It is one interface, there might be a problem load balancing. I've switched to 
a standalone setup for now.

"listening on eth1, capture length 8192 bytes"

"bro: 1328281729.277621 recvd=3553337 dropped=4503 link=3557842"

The packetloss is still there though.

> Could you add a line to load the misc/capture-loss script to your
>  local.bro? @load misc/capture-loss
> After you do that, make sure you do "check", "install", "restart" in
>  broctl.  The capture-loss script will give you another measure of packet
>  loss that is not based on information being received from the NIC.  

>From the alarm summary:

"2012-02-03-15:39:46 CaptureLoss::Too_Much_Loss
The capture loss script detected an estimated loss rate above 27.282%"

> Oh, that brings up another question.  What NICs are you using?

Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz
driver: bnx2
version: 2.1.11
firmware-version: bc 4.6.0 ipms 1.6.0

>   .Seth

Thanks again, Machiel.

More information about the Bro mailing list