[Bro] Help with missed_bytes affecting hash creations in files.log
castle1126 at yahoo.com
Tue Jul 19 07:49:25 PDT 2016
Yes I've had the capture_loss script enabled for some time on my system. Looking at today's entries - I've seen percent loss in 154 of 344 entries, with the largest percentage being 2.9%. Checking "broctl netstats" I'm showing 0 dropped by my workers.
On Monday, July 18, 2016 5:06 PM, Vlad Grigorescu <vladg at illinois.edu> wrote:
Try adding this to local.bro:
And then checking the capture_loss.log file which it will generate (will
take 15 minutes to get it to appear initially). For more information
about capture loss, see:
Stephen Castellarin <castle1126 at yahoo.com> writes:
> I have Bro 2.4.1 running on an older system (2 Intel X5550 processors giving 8 CPUs), 48Gb memory running 64 bit Ubuntu (14.04.4) server, using PF_Ring with an Intel 82571EB Ethernet card (1gb copper). This system is sitting on a network tap that is just seeing SMTP traffic between our outer mail gateway and our inside mail infrastructure. My Bro configuration is relatively simple, with a nodes.cfg being:
> When I look at the files.log file I see instances of files that have missing_bytes, which causes the hashes to not be calculated. Running an IFCONFIG I don't see any drops, errors, etc. Same with running broctl netstats, no drops. SAR reports on that system show the CPUs running at 73% IDLE.
> Is there something I'm missing in tuning or tweaking our configuration? Can I get to a point where I have zero files with no missed_bytes, or will there always be something or things with missed_bytes. A hardware upgrade can be in our future, but I'm trying to prove this concept by using this setup to help get funding for upgrading.
> Thanks all,Steve
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro