[Bro-Dev] snaplen and drops

William Jones jones at tacc.utexas.edu
Thu Oct 27 09:19:29 PDT 2011

On linux there set the two parameters that need to be tuned for bro:


This controls the buffer used by the raw socket interface. I would start at 20 Megabytes if the interface is a 1 GigE Ethernet 200 Megabyte if it a 10 GigE Ethernet.  Keep increasing it as till it longer has an effect on the drop rate.  I use "tcpdump -I <interface> -w <file>" to check the drop rate.   Let tcpdump run about 10 to 20 seconds and hit ctrl-c.   Tcpdump will report the packets dropped by the system and the total packets recived.  

Increase net.core.netdev_max_backlog to 100000 

There are some  1 GigE Ethernet nicks that just can't be tuned.    

-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Robin Sommer
Sent: Wednesday, October 26, 2011 11:25 PM
To: bro-dev at bro-ids.org
Subject: [Bro-Dev] snaplen and drops

On a reasonable fast Linux box seeing (currently) <10M/bps, I'm
getting lots packet drops with current master, even though CPU is very
low. I did the usual sysctl tuning, but that didn't help. Then I
reduced the snaplen (which now defaults to 65K) down to 8K, and the
drops disappeared.

That seems is quite an extreme effect of the new default value. Should
we reconsider and (1) use a smaller default, and/or (2) make the
snaplen accesible from the scripting layer (right now, there's only
-s; which doens't work well with BroControl).

Is there other tuning to get around the problem (with standard kernel,
not PF_RING etc.)? 


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
bro-dev mailing list
bro-dev at bro-ids.org

More information about the bro-dev mailing list