[Bro] Bro Cluster Dropped Packets

Seth Hall seth at icir.org
Wed Apr 30 07:03:56 PDT 2014

On Apr 30, 2014, at 9:42 AM, M K <mkhan04 at gmail.com> wrote:

> After looking at netstats there's always some dropped packets.

Generally with network monitoring you're going to have some degree of dropped packets even on the most appropriately scaled systems.  What you generally want to do is fight to keep the percentage of dropped packets as consistently low as possible.  Also, when you're using things like PF_Ring that do odd things with nic buffers you have to be very leery of the stats reported from the NIC.  Even in the best of cases those stats aren't very trustable.

What we generally recommend for our users is to run the misc/capture-loss script.  You can load it by adding this line to local.bro (and doing install then restart in broctl)

@load misc/capture-loss

This will create a capture-loss.log file that is written to every 15 minutes (by default) which will tell your apparent packet loss measured by watching non-seen but acked data segments in TCP streams.  This can also be confusing for people sometimes it will measure traffic loss happening upstream in your network.  Here is a blog post where someone had packet loss happening on a network device before the packets were even sent to their box running Bro:



Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140430/c460ab3b/attachment.bin 

More information about the Bro mailing list