[Bro] Linux Kernel dropping a lot of packets
Randolph Reitz
rreitz at fnal.gov
Tue Mar 13 12:23:59 PDT 2007
[snip]
At this point, I remembered Jason Lee's advice to tune the Linux
kernel. He suggested this link
http://www.net.t-labs.tu-berlin.de/research/bpcs/
So I did ...
[root at rhyolite bro-1.2.1]# cat /proc/sys/net/core/rmem_default
110592
[root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/
rmem_default
[root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/rmem_max
[root at rhyolite bro-1.2.1]# echo 10000 > /proc/sys/net/core/
netdev_max_backlog
[root at rhyolite bro-1.2.1]# /sbin/sysctl net.core.rmem_max
net.core.rmem_max = 33554432
OK, this looks like progress. I tried the same tcpdump as above.
Now I see ...
121 packets captured
149216 packets received by filter
121673 packets dropped by kernel
Before the 'tune', the kernel was dropping 99.8%. After the tune,
it's dropping 81.5%. Not much better. No fair to suggest I drop
Linux for FreeBSD!
-=-=-=-
Please ignore the previous email with this subject.
The kernel 'tuning' above seems to be working. Bro is now running
and the logs are filling up. Bro is consuming 100% of one CPU.
Thanks,
Randy Reitz
Computer Security Team
More information about the Bro
mailing list