[Bro] capstats doesnt work with af_packet

erik clark philosnef at gmail.com
Thu Nov 10 07:48:30 PST 2016


Hm, ok. Previously I was using pfcount, since we were using pf_ring, but
since moving to af_packet, pfcount is obviously no longer an option, and I
was hoping to use capstats as a standalone. Thanks for the quick response!
Will probably just massage this into splunk with a timechart.

On Thu, Nov 10, 2016 at 10:27 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Nov 10, 2016, at 9:17 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > Subject says it all. When I run interface=af_packet::em3, broctl
> capstats reports no statistics.
> > How can I fix this, as I rely on this information for traffic profiling
> of the system. Thanks!
> >
>
>
> It doesn't work right, and it can't really work right.  I think the short
> answer is that capstats is going away.  As a standalone tool it is ok, but
> running it on a schedule is not a great feature. It generates stats by
> actually capturing the packets and reporting on what it saw.  On a heavily
> loaded worker this is the absolute last thing you want to do.
>
> The stats.log will contain the same data split out by worker in the fields
> like bytes_recv, pkts_proc,pkts_dropped,pkts_link.  You should be able to
> do the profiling you need using this data.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161110/2cb502df/attachment.html 


More information about the Bro mailing list