[Bro] Packet Drops

Seth Hall seth at icir.org
Fri May 4 06:58:44 PDT 2012

On May 4, 2012, at 6:21 AM, Tom OBrion wrote:

> worker-0: 1336126625.749682 recvd=263871 dropped=30023 link=293912
> worker-1: 1336126625.997021 recvd=262510 dropped=30656 link=293227

Are you running "misc/capture-loss"?  That should provide a much more holistic view of packet loss because it's not relying on anything other than characteristics of the actual traffic to tell you if packets are being lost.  It doesn't tell you where the packet loss is happening and could mean a very large number of things, but it's a good place to start.

> We were unsure as the documentation mentioned 80mbps per CPU, so we
> thought we would give pf_ring a run.  But at these rates I would not
> think we would see drops.

I was really conflicted when I wrote 80Mbps in that documentation.  There is really no good way to figure out what that will be.  With reasonably fast, modern Xeon CPUs people seem to be getting ~150Mbps per core now but you need to take value with a grain of salt too since it depends so heavily on your traffic mix 

> Is netstats not telling the truth?  :)

That question is really hard to answer, especially if you are running pf_ring where the normal Linux packet processing pipeline is being bypassed.

> We are just trying to get an idea of what these old IBM hardware can
> do for us and are running into this.

You didn't mention that it's old hardware. :)  What's the architecture?  How many cores does the box have total?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list