[Bro] Packet Drops

Tom OBrion hammadog at gmail.com
Fri May 4 03:29:27 PDT 2012


meant to replay all.

This is via tcpdump this morning.

1995 packets captured
1995 packets received by filter
14731 packets dropped by kernel

On Fri, May 4, 2012 at 12:26 AM, Martin Holste <mcholste at gmail.com> wrote:
> On moderate hardware, I've found that it takes about one CPU per 100
> Mb/sec, so you shouldn't be dropping at anything under that.  You
> probably also don't need PF_RING or any special kernel tunings at
> anything less than 200-300 Mb/sec, so that shouldn't be the problem
> either.  When you say dropped packets, is that per the Bro drop log,
> or the nic stats?
>
> On Thu, May 3, 2012 at 8:21 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>> On Thu, May 03, 2012 at 09:10:40PM -0400, Tom OBrion wrote:
>>> Need some thoughts from the LINUX/BRO gifted....
>>>
>>> Hardware:
>>>
>>> CPU: two - Intel(R) Xeon(TM) CPU 2.40GHz
>>> MEM: 2gig
>>> NIC's: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
>>>
>>> We  peak around 130mbps and at this time we are running around 10mbps.
>>>  No matter what speed we run at we continue to drop packets.  We have
>>> loaded pf_ring and load balanced across two NIC's based on Martin's
>>> BLOG:  http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
>>
>> Can you post the contents of the files in /proc/net/pf_ring/ for the bro
>> processes?  You should have one per bro worker.
>>
>>
>> --
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Tom O'Brion
TEL: 207.210.2167
Skype:

"Life is too short to spend time with people who suck the happy out of you."




More information about the Bro mailing list