[Bro] Question about capture loss script vs. broctl netstats

Vern Paxson vern at icir.org
Thu Jun 27 06:09:08 PDT 2013

As seth mentions, the capture-loss script is quite robust, because it
essentially computes an end-to-end value.  I don't know of any situations
where in practice it makes poor estimates.  These stats:

> worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
> worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
> worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
> worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222

on the other hand come from the kernel's statistics.  If packets are lost
prior to the kernel even seeing them (such as due to an overwhelmed SPAN
port - quite common), then while it reports no drops, that's not a
useful end-to-end measure.  (Also, some kernels have bugs in how these
statistics are captured, for example missing out on packets dropped by
the NIC rather than the kernel.)


More information about the Bro mailing list