[Bro] Dropped Packets
JAzoff at albany.edu
Mon Jun 18 13:22:42 PDT 2012
On Mon, Jun 18, 2012 at 03:24:52PM -0400, Will Havlovick wrote:
> I have found a way to lessen the amount of packets being dropped.
> Here is what I have:
> Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1
> Test scenario:
> Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
> One server for testing and one as a control.
> Both monitoring 2 Network Taps of live traffic.
> Test 1 : increased RAM to 8GB
> Result : same amount of packets dropped
> Test 2 : replaced hard drives with 2 10k drives in a RAID 1
> Result : 10% less packet drops in bro logs as compared to the control server
> Test 3 : replaced hard drives with 2 SSD drives in a RAID 1
> Result : 80% less packet drops then the control server
> Test 4 : switched SSD hard drives to a RAID 0
> Result | 90% less packet drops then the control server
> I have heard that SSD drives have a shorter life span if it is written to a lot. So this is probably not the best solution.
> But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.
> When I get the 15K SAS drives in I will run the same tests and put the results out.
How much disk IO are these boxes actually doing while the test is
A good tool for showing this is dstat (apt-get install dstat)
dstat --disk-tps -a --mem 5
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro