[Bro] Issue with Bro reporting dropped packets
espressobeanies at gmail.com
Tue Feb 28 12:20:29 PST 2017
I'm trying to troubleshoot a Bro IDS that is experiencing capture loss with
dropped packets. The machine I'm using has a 16-core Intel Xeon processor,
96Gb RAM, and an Intel NIC. I have 3 Bro workers with CPU affinity enabled
and I'm using the pf_ring module on CentOS with no custom Bro scripts
running. All of my processors are running at 99% utilization.
According to my operating system, I'm dropping about 8000 packets over the
course of a day on a 300-400Mbps network. According to Bro capstats, I am
dropping about the same number of packets I'm receiving, sometimes more
than I receive. My capture_loss.log shows my workers lose about 30-50%
packets and my manager and proxy, 70-90%. I can provide any configurations
or screenshots if necessary.
I'm trying to troubleshoot where the issue lies. I initially installed Bro
with all the recommended packages (tcmalloc, etc...) and the pf_ring module
and I can see that Bro is using it. At this point, everything I see is
pointing to an application issue and I'm running Bro version 2.5. I had the
same issue with Bro v.2.4 as well.
Short of tweaking OS kernel and NIC card settings, I'm not sure where else
I could try to reduce my packet drop count in Bro. Any recommendations?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro