[Bro] Question about capture loss script vs. broctl netstats
seth at icir.org
Tue Jun 25 19:22:21 PDT 2013
On Jun 25, 2013, at 4:51 PM, Derek Banks <itsecderek at gmail.com> wrote:
> It is from a span fed into a Netoptics port regenerator that feeds a few devices. One of those is another Red Hat box with an Endace card in it. That box (and another device we have) do not seem to be dropping traffic.
How are you measuring packet loss with your other tools? The script that is generating those notices you saw is measuring aspects of TCP that indicate packet loss which could be happening upstream of your monitoring. By that, I mean you could be oversubscribing your SPAN port. It could be worth checking packet stats on the SPAN port to see if you are losing traffic there.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro