[Bro] Dropping packets - How do I leverage multiple core with BRO?
Veronica Estrada
estrada.veronica at gmail.com
Wed Nov 10 23:58:09 PST 2010
Hello BRO professionals,
I am using BRO v 1.5.1 to analyze off-line pcap files. When I run BRO
on 4Gb pcap file, one CPU core always reaches 100% but the server
still has more 15 idle cores.
The analysis uses brolite, dpd and detect-protocols.
I am afraid BRO is loosing packets. By the way, how can I measure
packet dropping?
The capture-loss generates this notice:
no=CaptureLossSummary na=NOTICE_ALARM_ALWAYS msg=estimated\ rate\ \=\
0.0082201 tag=@36-6fb3-4a
Are this events or bytes? WHy indicates tag? I cannot find any
reference to this tag in any of the other logs. By reading the
documentation, it seems you don't recommend this metric.
Instead, I will be happy to know the number of packets that BRO
processed. I cannot find where is this number logged.
Best regards
Veronica Estrada
Nakao's Laboratory
Univ. of Tokyo
More information about the Bro
mailing list