[Bro] capstats doesnt work with af_packet
philosnef at gmail.com
Thu Nov 10 07:48:30 PST 2016
Hm, ok. Previously I was using pfcount, since we were using pf_ring, but
since moving to af_packet, pfcount is obviously no longer an option, and I
was hoping to use capstats as a standalone. Thanks for the quick response!
Will probably just massage this into splunk with a timechart.
On Thu, Nov 10, 2016 at 10:27 AM, Azoff, Justin S <jazoff at illinois.edu>
> > On Nov 10, 2016, at 9:17 AM, erik clark <philosnef at gmail.com> wrote:
> > Subject says it all. When I run interface=af_packet::em3, broctl
> capstats reports no statistics.
> > How can I fix this, as I rely on this information for traffic profiling
> of the system. Thanks!
> It doesn't work right, and it can't really work right. I think the short
> answer is that capstats is going away. As a standalone tool it is ok, but
> running it on a schedule is not a great feature. It generates stats by
> actually capturing the packets and reporting on what it saw. On a heavily
> loaded worker this is the absolute last thing you want to do.
> The stats.log will contain the same data split out by worker in the fields
> like bytes_recv, pkts_proc,pkts_dropped,pkts_link. You should be able to
> do the profiling you need using this data.
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro