[Bro] Bro Cluster Dropped Packets

M K mkhan04 at gmail.com
Wed Apr 30 06:42:59 PDT 2014

Is there any way to determine the cause of dropped packets? I'm running Bro
Cluster (2.2) on a single machine with 1 manager, 1 proxy and 10 workers.
The total number of workers is much less than the number of cpus in this
machine (system load doesn't usually get higher than 2 and individual
worker processes hover at around 30-40% cpu utilization). The machine has
PF_Ring and related ethernet drivers installed. After looking at netstats
there's always some dropped packets. The occasional dropped packet isn't
usually a cause for concern but some workers show large numbers of dropped
packets. I'd like to know what part of the process is bottle-necked and
causing packets to be dropped.

The documentation mentions that broctl cron logs stats but doesn't mention
where they're located (didn't see anything in spool that looked like
cluster runtime stats) or how to view the data.

Anyone have any ideas?
