[Bro-Dev] [JIRA] (BIT-1538) capture loss and notice of `Conn::Content_Gap` are too many

LiJinmiao (JIRA) jira at bro-tracker.atlassian.net
Sat Feb 20 07:27:00 PST 2016


LiJinmiao created BIT-1538:
------------------------------

             Summary: capture loss and notice of `Conn::Content_Gap` are too many 
                 Key: BIT-1538
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1538
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.4
         Environment: Dell R620
Ubuntu 14.04.04 Server LTS  + kde desktop
pf_ring 6.2.0
bro 2.4 with pf_ring
            Reporter: LiJinmiao
            Priority: High
         Attachments: capture_loss.log, files.log, http.log, notice.log, prof.log, reporter.log, stats.log, weird.log

I use the bro to extract files from http stream.
I installed bro with source code on ubuntu server 14.04. And I want to use virtual machine sandbox based on VirtualBox, so I installed desktop finally.
My installation document is `https://www.bro.org/sphinx/configuration/index.html#installing-pf-ring`. But I didn't start bro by `broctl`. I just started bro with command `bro -i eth0 filextraction.bro`. And there are too many packet loss. 
Then I test the bro on another machine that has the same environment  without desktop. And there is no packet loss.
So I'm confused.
By the way, the driver of nic is `igb`. 
And I can't understand the document of `https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices` clearly.
Thanks for any help. 



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-01-031#72000)


More information about the bro-dev mailing list