[Bro] bro werid.log are very high

Seth Hall seth at icir.org
Thu Aug 7 08:41:49 PDT 2014


On Aug 7, 2014, at 11:17 AM, Zhai, Jim (MGS) <Jim.Zhai at ontario.ca> wrote:

> Just wondering why werid.log are very high volume. There is a lot of “possible_split_routing” in werid.log. How to get rid of this issue?

It's very possible that you have split routing on your network.  In other words, you might only be seeing one direction of traffic because the other direction of traffic is going on a route that you aren't seeing (another router for example).

Are you loading the misc/capture-loss.bro script?  It's possible that could be cause by a high degree of packet loss as well.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140807/0a92e967/attachment.bin 


More information about the Bro mailing list