[Bro] dropped packets

Mike Patterson mike.patterson at uwaterloo.ca
Thu Mar 6 05:41:27 PST 2014


Mine will vary between sub-1-percent and up to about 9%, for Reasons I’ll clarify in another list mail (once I get things sorted out so I’m back to under 1% loss). I’m not *pleased* about anything over 2-3%, but I can accept that. Anything under 1 and I’m happy; it’s very likely noise, given we’re a large network and see a ton of weird traffic that I don’t expect Bro to be able to fully account for.

For reference, I’ve got 8 workers going on an overloaded box that sees a floor of 350Mbps and a ceiling of about 3.5Gbps (although I’ve seen sustained peaks up to 6 and short peaks up to 12).

Mike

-- 
Faced with the choice between changing one's mind and proving that
there is no need to do so, almost everyone gets busy with the proof.
- J.K. Galbraith

On Mar 6, 2014, at 7:33 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> Well, that explains the interval.  The example I posted was one of the smallest loss amounts, but what is an acceptable or expected loss level?  In the last 6 hours my setup does have a 1448 out of 206031, or .7%.  So .005% seems small, is .7% small?
> 
> I am running the default local.bro, and it does have misc/scan loaded.  I turn that off and see if I still see loss, but if 1% or less is considered normal loss even for a low load and small traffic, then I guess it is less important. 
> 
> 
> On Wed, Mar 5, 2014 at 9:21 PM, Seth Hall <seth at icir.org> wrote:
> 
> On Mar 4, 2014, at 11:02 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> 
> > 1393944936.832292     -       -       -       -       -       -       -       -       -       PacketFilter::Dropped_Packets   11 packets dropped after filtering, 207913 received, 207913 on link     -       -       -       -       -       ids-1   Notice::ACTION_LOG      3600.000000     F       -       -       -       -       -
> 
> Turns out…
> 
> PacketFilter::stats_collection_interval is 5 mins by default.  You're seeing it reported every 5 minutes because that's the reporting interval. :)
> 
> If you look into the percentage of traffic you're seeing reported as lost, it's actually 0.005% which isn't really that bad.  Granted, it doesn't explain *why* you had a few packets reported as lost but in the grand scheme of things it's really not that bad.
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list