[Bro] Dropped Packets

Will Havlovick will.havlovick at zenimax.com
Mon Jun 18 12:24:52 PDT 2012


Update:

I have found a way to lessen the amount of packets being dropped.

Here is what I have:
Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1

Test scenario:
Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
One server for testing and one as a control.
Both monitoring 2 Network Taps of live traffic.

Test 1 : increased RAM to 8GB 
Result : same amount of packets dropped

Test 2 : replaced hard drives with 2 10k drives in a RAID 1
Result : 10% less packet drops  in bro logs as compared to the control server

Test 3 : replaced hard drives with 2 SSD drives in a RAID 1
Result :  80% less packet drops then the control server

Test 4 : switched SSD hard drives to a RAID 0
Result | 90% less packet drops then the control server

I have heard that SSD drives have a shorter life span if it is written to a lot.  So this is probably not the best solution.

But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.  

When I get the 15K SAS drives in I will run the same tests and put the results out.


Will

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
Sent: Thursday, January 12, 2012 2:00 PM
To: 'bro at bro-ids.org'
Subject: [Bro] Dropped Packets

Hi all,

I recently upgraded 3 standalone Bro nodes.  2 of them are Ubuntu and one of them is CentOS 6.2.

On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
---
PacketFilter::Dropped_Packets   476 packets dropped after filtering, 52258 received, 52258 on link      
PacketFilter::Dropped_Packets   4914 packets dropped after filtering, 52785 received, 52785 on link     
PacketFilter::Dropped_Packets   3061 packets dropped after filtering, 35701 received, 35702 on link     
PacketFilter::Dropped_Packets   3371 packets dropped after filtering, 30573 received, 30591 on link     
---
broctl netstats
       bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125

I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
broargs = -l 9800

Which does not appear to be part of the final release and did not work.

The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.  

Is there a way to reduce the amount of dropped packets?

Also, I can provide more data if necessary.

Thank you in advance,


Will

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list