[Bro] Dropping all packets, but not crashed?
scampbell at lbl.gov
Fri Mar 8 11:00:44 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
We saw a very similar thing here - there ended up being an issue with
PF_RING < 5.5.2 where corrupted VLAN tagged packets caused the exact
situation you describe. We were seeing this 2-3 times a day.
I upgraded the PF_RING to 5.2.2 and the issue went away. This problem
is listed in the ChangeLog as well.
On 3/8/13 12:51 PM, Jesse Bowling wrote:
> I noticed today while reviewing my notice.log that one worker
> thread has been consistently dropping all packets that it
> received...The status indicated that it was running, and a restart
> of the worker did not indicate that anything was crashed or that it
> exited oddly...After using broctl to restart the worker, no more
> I imagine it's too late to gather more info about this now, but if
> the situation should present itself again, how would I gather the
> most debug information to try to find out why? Are there settings I
> should turn on now, or commands I should run at the time? strace,
> gdb, etc?
> Is it too late to get more info about why this was happening?
> I also just happened to visit the securityonion page and notice
> this at the top:
> "An issue was recently discovered in Bro 2.1 when monitoring
> multiple interfaces with PF_RING that could result in traffic loss.
> This issue is targeted for resolution in Bro 2.2. In the meantime,
> if you're monitoring multiple interfaces with Bro, please disable
> Bro's PF_RING load balancing as follows:"
> This could perhaps describe my situation....Anyone have any more
> specifics on this?
> _______________________________________________ Bro mailing list
> bro at bro-ids.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Bro