[Bro] Dropping packets - How do I leverage multiple core with BRO?

Martin Holste mcholste at gmail.com
Thu Nov 11 07:22:55 PST 2010


Maybe Bro somehow behaves differently, but I don't think it's possible
for anything reading a pcap file to drop packets since the program
will read them as it has buffer available.

To utilize mutliple cores, try splitting the pcap into multiple files
with something like splitcap (splitcap.sourceforge.net) and running
parallel Bro processes.  I can't tell you whether this will be faster
in the end, but I suspect it would be, especially if you have splitcap
write its splits to stdout and have Bro read from stdin, avoiding any
disk writing.  This may take a bit of bash scripting, but I think it's
probably possible.  Does anyone have something done like this already
to send to Veronica?

On Thu, Nov 11, 2010 at 1:58 AM, Veronica Estrada
<estrada.veronica at gmail.com> wrote:
> Hello BRO professionals,
>
> I am using BRO v 1.5.1 to analyze off-line pcap files. When I run BRO
> on 4Gb pcap file, one CPU core always reaches 100% but the server
> still has more 15 idle cores.
> The analysis uses brolite, dpd and detect-protocols.
>
> I am afraid BRO is loosing packets. By the way, how can I measure
> packet dropping?
>
> The capture-loss generates this notice:
> no=CaptureLossSummary na=NOTICE_ALARM_ALWAYS msg=estimated\ rate\ \=\
> 0.0082201 tag=@36-6fb3-4a
>
> Are this events or bytes? WHy indicates tag? I cannot find any
> reference to this tag in any of the other logs. By reading the
> documentation, it seems you don't recommend this metric.
> Instead, I will be happy to know the number of packets that BRO
> processed. I cannot find where is this number logged.
>
> Best regards
>
> Veronica Estrada
> Nakao's Laboratory
> Univ. of Tokyo
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



More information about the Bro mailing list