[Bro] dropped packets
mike.patterson at uwaterloo.ca
Thu Mar 6 05:41:27 PST 2014
Mine will vary between sub-1-percent and up to about 9%, for Reasons I’ll clarify in another list mail (once I get things sorted out so I’m back to under 1% loss). I’m not *pleased* about anything over 2-3%, but I can accept that. Anything under 1 and I’m happy; it’s very likely noise, given we’re a large network and see a ton of weird traffic that I don’t expect Bro to be able to fully account for.
For reference, I’ve got 8 workers going on an overloaded box that sees a floor of 350Mbps and a ceiling of about 3.5Gbps (although I’ve seen sustained peaks up to 6 and short peaks up to 12).
Faced with the choice between changing one's mind and proving that
there is no need to do so, almost everyone gets busy with the proof.
- J.K. Galbraith
On Mar 6, 2014, at 7:33 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> Well, that explains the interval. The example I posted was one of the smallest loss amounts, but what is an acceptable or expected loss level? In the last 6 hours my setup does have a 1448 out of 206031, or .7%. So .005% seems small, is .7% small?
> I am running the default local.bro, and it does have misc/scan loaded. I turn that off and see if I still see loss, but if 1% or less is considered normal loss even for a low load and small traffic, then I guess it is less important.
> On Wed, Mar 5, 2014 at 9:21 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 4, 2014, at 11:02 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> > 1393944936.832292 - - - - - - - - - PacketFilter::Dropped_Packets 11 packets dropped after filtering, 207913 received, 207913 on link - - - - - ids-1 Notice::ACTION_LOG 3600.000000 F - - - - -
> Turns out…
> PacketFilter::stats_collection_interval is 5 mins by default. You're seeing it reported every 5 minutes because that's the reporting interval. :)
> If you look into the percentage of traffic you're seeing reported as lost, it's actually 0.005% which isn't really that bad. Granted, it doesn't explain *why* you had a few packets reported as lost but in the grand scheme of things it's really not that bad.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro