[Bro] missed bytes without gaps

Seth Hall seth at icir.org
Wed Dec 18 05:22:48 PST 2013

On Dec 18, 2013, at 7:57 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> Using these two definitions, I see almost 40% of my packets fall into the "missed" streams, while around 60% fall into the non-missed.  I was doing this to check my setup and see if I had everything working.  From everything else (no gaps reported, and no almost no dropped packets) I thought everything was working.  Now I question if something else is wrong, and so I am weary about using this to look at other data as it may not be complete.

There are a lot of reasons that you could be missing traffic that have nothing to do with the packet drop statistics reported by your NIC.  I have a guess about what's happening in your traffic though.  Have you disabled the special features on your NIC?  Refer to this blog post on how to do it on linux:

If you want a much better mechanism to see if you're receiving all of the traffic you should be I recommend loading the misc/capture-loss script.  By default it will write out to capture_loss.log every 15 minutes and due to it taking measurements of TCP streams themselves it can even detect packet loss occurring before the packets arrive at your monitoring interface.  A number of people have detected faulty packet distribution boxes and overloaded switch SPAN ports with it.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131218/ff83fcb7/attachment.bin 

More information about the Bro mailing list