[Bro] Problem: Bro listening on two ethernet interfaces
Aashish Sharma
aashish at uiuc.edu
Thu May 19 07:21:52 PDT 2005
Hi Chistoph, Tim, All:
(I was waiting to get some information/clarifications but nothing yet)
Yes, we were/are seeing two very different types of dropped packets notifications :
1) Initially packets were dropped at the interface but as Tim pointed out, that got fixed and current count is substentially low:
RX packets:3550702871 errors:25 dropped:23 overruns:2 frame:2
RX packets:1577193887 errors:13 dropped:13 overruns:0 frame:0
2) Dropped packets notice in the notice.log files. Example:
t=1116392591.523558 no=DroppedPackets na=NOTICE_FILE msg=4475\ packets\ dropped\ after\ filtering,\ 21924\ received
Looking at the policy file (netstats.bro) I am inclined to think that these notices are generated because of bro filter. Please correct me here.
So in short, since we are using direct network feed, right now, I am relying on error count on interfaces which shows a very low number of packet drops. While with bro we do get dropped packets notices notice.log file which are due to bro filter.
What I cannot answer/understand right now is:
Is there any way I can find out is bro actually dropping packets, if at all ?
Aashish
> I'll let my co-worker, Aashish Sharma, reply to the specific issue of
> bro dropping packets. However, there are two corrections we made to
> correct for dropped packets and errors that we were receiving on our
> 1GB fiber interfaces after first installing bro and turning it on.
>
> First, we set the MTU from 1500 to 9000.
> Second, we set LowLatency=On (i.e. modprobe sk98lin LowLatency=On)
>
> That second fix is specific to the fiber cards we are using. After
> these two changes, we are no longer receiving errors on the interfaces.
>
> Aashish Sharma will follow up with bro specific packet loss answer.
>
> Thanks,
>
> Tim
>
> Christoph Goeldi wrote:
>
> > Hi Tim
> >
> > Zitat von Tim Brooks <tbrooks at ncsa.uiuc.edu>:
> >
> >>
> >> Ours works fine on linux with the interfaces set in etc/bro.cfg like:
> >>
> >> BRO_CAPTURE_INTERFACE="eth2 eth3"
> >
> >
> > Are you realy sure, that Bro doesn't drop the most of the captured
> > packets?
> >
> > I like to know what Linux version (distro), what Bro version and what
> > interfaces (100Mbit or 1Gbit / manufacturer) do you use?
> >
> > Thank you for your time
> > Christoph
>
>
> --
> Tim Brooks
> Security Engineer
>
> National Center for Supercomputing Applications
> 605 East Springfield Avenue Champaign, IL 61820
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050519/05eb712f/attachment.bin
More information about the Bro
mailing list