[Bro] Linux Kernel dropping a lot of packets
Peter Van Epp
vanepp at sfu.ca
Tue Mar 13 13:11:09 PDT 2007
On Tue, Mar 13, 2007 at 01:58:42PM -0500, Randolph Reitz wrote:
> I'm wondering why Bro is so quiet. So I tried tcpdump with Bro's
> filter ...
>
> [root at rhyolite rreitz]# /usr/sbin/tcpdump -i eth2
> '((((((((((((((((((((((port 111) or (port smtp)) or (port ftp)) or
> (port smtp)) or (icmp)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and
> tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or ((ip[6:2]
> & 0x3fff != 0) and tcp)) or (port 111)) or (tcp dst port 80 or tcp
> dst port 8080 or tcp dst port 8000)) or (tcp src port 80 or tcp src
> port 8080 or tcp src port 8000)) or (port 6666)) or (port 512 or port
> 513 or port 515)) or (tcp port 80 or tcp port 8080 or tcp port 8000
> or tcp port 8001)) or (port telnet or tcp port 513)) or (port
> telnet)) or (port 53)) or ((src net 131.225.0.0/16 or src net
> 198.124.212.0/24 or src net 198.124.213.0/24) and (dst port 135 or
> dst port 137 or dst port 139 or dst port 445))) or (tcp[13] & 7 !=
> 0)) or (port ftp)) or (port 6667)) or (port 143)) or (udp port 69))
> or (port 161 or port 162)'
> tcpdump: WARNING: eth2: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
> ....
>
> Killing after ~10 seconds ...
>
> 166 packets captured
> 249098 packets received by filter
> 248721 packets dropped by kernel
>
<snip>
If you are up for adventure you should look at the pf-ring code from
www.ntop.org. While fairly exciting to get in (it replaces the native pcap
code in the kernel) once you do it appears to work fairly well. On an earlier
version of pf-ring we managed to keep up with a 995 megabit jumbo frame netperf
run with argus (the jumbos however are the best case traffic senario). I have
the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 kernel
(I think) but haven't yet managed to get it in to a busy gig link yet (the
original link has gone 10 gig in the interrum and is thus no longer available
:-)). Small packets are its most likely weakness.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the Bro
mailing list