[Bro] dropped packets

sangdrax8 sangdrax8 at gmail.com
Tue Mar 4 11:11:17 PST 2014


On Tue, Mar 4, 2014 at 11:02 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> I hate to ask about dropped packets again, as I feel it is a re-occurring
> question... but I can't seem to figure out if this is a configuration issue
> or just not enough hardware.  I see people asking about massive pipes, but
> I am not looking at a very large pipe here.  using broctl's capstats, I
> show:
> kpps .3
> mbps .6
>
> The node that is dropping is a physical machine that doesn't appear to
> have issues with memory or CPU.  There are 2 bro processes in top, and both
> generally are at or under 20% CPU utilization.  The box keeps a load
> average around .30, which generally would not make me believe it was over
> taxed.
>
> An example notice:
>
> 1393944936.832292 - - - - - - - - - PacketFilter::Dropped_Packets 11
> packets dropped after filtering, 207913 received, 207913 on link - - - - -
> ids-1 Notice::ACTION_LOG 3600.000000 F - - - - -
>
> I was having issues with missed bytes, but that was resolved by turning
> off offload settings on my nic.  I rarely see any missed bytes now.
>
> I have tried adjusting some settings, but I saw no improvements.
>
> sysctl -w net.core.rmem_max=8388608
> sysctl -w net.core.wmem_max=8388608
> sysctl -w net.core.rmem_default=65536
> sysctl -w net.core.wmem_default=65536
> sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
> sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
> sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
> sysctl -w net.ipv4.route.flush=1
>
> I would appreciate any suggestions/comments.
>
>
>

If it is of any help, I notice that these drops seem to happen 5 minute
intervals.  When it is happening a lot, they are 5 minutes apart, but
sometimes it is 10 minutes, or 25.  Always an increment of 5 minutes though.

Is there something in the cron jobs that could case me to have drops?

Thanks again for any assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140304/2ff32a2e/attachment.html 


More information about the Bro mailing list