[Bro] Problem: Bro listening on two ethernet interfaces
Vern Paxson
vern at icir.org
Thu May 19 12:08:36 PDT 2005
> t=3D1116392591.523558 no=3DDroppedPackets na=3DNOTICE_FILE msg=3D4475\ pack=
> ets\ dropped\ after\ filtering,\ 21924\ received
>
> Looking at the policy file (netstats.bro) I am inclined to think that these=
> notices are generated because of bro filter. Please correct me here.=20
I'm not sure what you mean by "because of bro filter", but those reports
are generated based on retrieving statistics from libpcap, and "after
filtering" means after applying the filter Bro specified to pcap, which
you can see using print-filter.bro.
> What I cannot answer/understand right now is:
>
> Is there any way I can find out is bro actually dropping packets, if at all=
> ?
Look for AckAboveHole and ContentGap notices. These can both happen for
other reasons, but primarily happen due to dropped packets.
Vern
More information about the Bro
mailing list