[Bro] Bro Cluster Dropped Packets
seth at icir.org
Wed Apr 30 07:03:56 PDT 2014
On Apr 30, 2014, at 9:42 AM, M K <mkhan04 at gmail.com> wrote:
> After looking at netstats there's always some dropped packets.
Generally with network monitoring you're going to have some degree of dropped packets even on the most appropriately scaled systems. What you generally want to do is fight to keep the percentage of dropped packets as consistently low as possible. Also, when you're using things like PF_Ring that do odd things with nic buffers you have to be very leery of the stats reported from the NIC. Even in the best of cases those stats aren't very trustable.
What we generally recommend for our users is to run the misc/capture-loss script. You can load it by adding this line to local.bro (and doing install then restart in broctl)
This will create a capture-loss.log file that is written to every 15 minutes (by default) which will tell your apparent packet loss measured by watching non-seen but acked data segments in TCP streams. This can also be confusing for people sometimes it will measure traffic loss happening upstream in your network. Here is a blog post where someone had packet loss happening on a network device before the packets were even sent to their box running Bro:
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140430/c460ab3b/attachment.bin
More information about the Bro