[Bro] Bro 2.0 packets dropped
seth at icir.org
Mon Feb 6 10:55:26 PST 2012
On Feb 3, 2012, at 10:18 AM, Machiel van Veen wrote:
> It is one interface, there might be a problem load balancing. I've switched to
> a standalone setup for now.
If you aren't taking any steps to load balance the traffic then it definitely isn't working. We don't have automated load balanced configuration available in BroControl yet. :)
Today, I did just write a script that automates a BPF based load balancing technique on clusters which will be getting merged in along with the rest of the automated load balancing code soon.
> "bro: 1328281729.277621 recvd=3553337 dropped=4503 link=3557842"
> "2012-02-03-15:39:46 CaptureLoss::Too_Much_Loss
> The capture loss script detected an estimated loss rate above 27.282%"
Are sniffing from a tap or a SPAN port? I'm a little suspicious because the first line indicates that the NIC was showing 0.1% packet loss, but the second line indicates much more loss. The misc/capture-loss.bro script can detect loss due to reasons beyond the monitoring host (like an overloaded SPAN port) so I'm just trying to figure out where there is a such a huge disparity between the two measurements.
Oh, one other thought. Are you disabling all of the offload features of your NIC? Here's an article about it:
Is the MTU on your NIC larger than 8192 (Bro 2.0's default snaplen). If there are packets larger than that they won't be seen by default.
>> Oh, that brings up another question. What NICs are you using?
> Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz
> driver: bnx2
> version: 2.1.11
> firmware-version: bc 4.6.0 ipms 1.6.0
I usually recommend not using Broadcom nics for monitoring. At times with various broadcom nics I've run into weird problems so I tend to avoid them.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro