[Bro] Packet Drops

Tom OBrion hammadog at gmail.com
Sat May 5 04:10:28 PDT 2012

Thanks for reply Seth.   Was out of pocket all day yesterday but I will load up capture-loss and see what other details we get.  We got something weird going on. We have another g200 in another location seeing about the amount of traffic, same thing.   It is not running pf_ring.  The boxes I believe are dual processor zeon's old technology.  But no reason they should not Andre the traffic.  I might switch OS as Ubuntu server sometimes has flakey Nic drivers.   Then load up Bro by itself and see how that goes.   

Thanks again


Sent from my iPad

On May 4, 2012, at 9:58 AM, Seth Hall <seth at icir.org> wrote:

> On May 4, 2012, at 6:21 AM, Tom OBrion wrote:
>> worker-0: 1336126625.749682 recvd=263871 dropped=30023 link=293912
>> worker-1: 1336126625.997021 recvd=262510 dropped=30656 link=293227
> Are you running "misc/capture-loss"?  That should provide a much more holistic view of packet loss because it's not relying on anything other than characteristics of the actual traffic to tell you if packets are being lost.  It doesn't tell you where the packet loss is happening and could mean a very large number of things, but it's a good place to start.
>> We were unsure as the documentation mentioned 80mbps per CPU, so we
>> thought we would give pf_ring a run.  But at these rates I would not
>> think we would see drops.
> I was really conflicted when I wrote 80Mbps in that documentation.  There is really no good way to figure out what that will be.  With reasonably fast, modern Xeon CPUs people seem to be getting ~150Mbps per core now but you need to take value with a grain of salt too since it depends so heavily on your traffic mix 
>> Is netstats not telling the truth?  :)
> That question is really hard to answer, especially if you are running pf_ring where the normal Linux packet processing pipeline is being bypassed.
>> We are just trying to get an idea of what these old IBM hardware can
>> do for us and are running into this.
> You didn't mention that it's old hardware. :)  What's the architecture?  How many cores does the box have total?
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

More information about the Bro mailing list