[Bro] Packet Drops
mcholste at gmail.com
Thu May 3 21:26:08 PDT 2012
On moderate hardware, I've found that it takes about one CPU per 100
Mb/sec, so you shouldn't be dropping at anything under that. You
probably also don't need PF_RING or any special kernel tunings at
anything less than 200-300 Mb/sec, so that shouldn't be the problem
either. When you say dropped packets, is that per the Bro drop log,
or the nic stats?
On Thu, May 3, 2012 at 8:21 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Thu, May 03, 2012 at 09:10:40PM -0400, Tom OBrion wrote:
>> Need some thoughts from the LINUX/BRO gifted....
>> CPU: two - Intel(R) Xeon(TM) CPU 2.40GHz
>> MEM: 2gig
>> NIC's: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
>> We peak around 130mbps and at this time we are running around 10mbps.
>> No matter what speed we run at we continue to drop packets. We have
>> loaded pf_ring and load balanced across two NIC's based on Martin's
>> BLOG: http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
> Can you post the contents of the files in /proc/net/pf_ring/ for the bro
> processes? You should have one per bro worker.
> -- Justin Azoff
> -- Network Security & Performance Analyst
> Bro mailing list
> bro at bro-ids.org
More information about the Bro