[Bro] How to interpret dropped packets numbers?

Peter Wurzinger pw at seclab.tuwien.ac.at
Mon Nov 17 07:31:29 PST 2008 

Hello!

I have a simple question concerning the log output of bro in terms of 
dropped packets. In my logs I find lines typically looking somewhat like 
the following:

1226932503.913993:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 27140 received::@f1-2fa2-4a
1226932513.914576:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 25282 received::@f1-2fa2-4b
1226932523.915773:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 28475 received::@f1-2fa2-4c
1226932533.915773:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 29652 received::@f1-2fa2-4d
1226932543.915927:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 23517 received::@f1-2fa2-4e
1226932553.916319:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 
packets dropped after filtering, 25519 received::@f1-2fa2-4f
1226932563.916847:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 
packets dropped after filtering, 42911 received::@f1-2fa2-50
1226932573.916864:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 
packets dropped after filtering, 24068 received::@f1-2fa2-51
1226932583.916923:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 
packets dropped after filtering, 23854 received::@f1-2fa2-52
1226932593.916972:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 26452 received::@f1-2fa2-53
1226932603.917322:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 23351 received::@f1-2fa2-54
1226932613.917342:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 22009 received::@f1-2fa2-55
1226932623.917497:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 24184 received::@f1-2fa2-56
1226932633.918049:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 22079 received::@f1-2fa2-57
1226932643.918297:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 
packets dropped after filtering, 24630 received::@f1-2fa2-58

Obviously, every 10 seconds bro outputs a line with dropped packets 
information. Unfortunately, I am not sure about how exactly to interpret 
the numbers. Are they total counts since the beginning of the current 
bro execution, are they per 10 seconds timeslice, or something even 
different? I am confused by the fact that the dropped numbers are often 
the same but never decrease (which points towards a total count), and on 
the other hand the received numbers behave differently.

What exactly does "received" mean? Does this include the dropped 
packets? I.e., do i need to subtract them if I want to know how many 
packets have actually been handled and processed by bro?

If I wanted to calculate the percentage of dropped packets over the 
period of a log-file, how would I do it?

Regards,
Peter.

More information about the Bro mailing list