[Bro-Dev] snaplen and drops
William Jones
jones at tacc.utexas.edu
Thu Oct 27 09:19:29 PDT 2011
On linux there set the two parameters that need to be tuned for bro:
net.core.rmem_max
net.core.rmem_default
This controls the buffer used by the raw socket interface. I would start at 20 Megabytes if the interface is a 1 GigE Ethernet 200 Megabyte if it a 10 GigE Ethernet. Keep increasing it as till it longer has an effect on the drop rate. I use "tcpdump -I <interface> -w <file>" to check the drop rate. Let tcpdump run about 10 to 20 seconds and hit ctrl-c. Tcpdump will report the packets dropped by the system and the total packets recived.
Increase net.core.netdev_max_backlog to 100000
There are some 1 GigE Ethernet nicks that just can't be tuned.
-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Robin Sommer
Sent: Wednesday, October 26, 2011 11:25 PM
To: bro-dev at bro-ids.org
Subject: [Bro-Dev] snaplen and drops
On a reasonable fast Linux box seeing (currently) <10M/bps, I'm
getting lots packet drops with current master, even though CPU is very
low. I did the usual sysctl tuning, but that didn't help. Then I
reduced the snaplen (which now defaults to 65K) down to 8K, and the
drops disappeared.
That seems is quite an extreme effect of the new default value. Should
we reconsider and (1) use a smaller default, and/or (2) make the
snaplen accesible from the scripting layer (right now, there's only
-s; which doens't work well with BroControl).
Is there other tuning to get around the problem (with standard kernel,
not PF_RING etc.)?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
_______________________________________________
bro-dev mailing list
bro-dev at bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
More information about the bro-dev
mailing list