[Bro] Bro Digest, Vol 62, Issue 3

Chuck Little mdmonk at gmail.com
Fri Jun 17 13:35:32 PDT 2011 

Thanks Scott! I forgot about the vlan part. So I added that policy to be
loaded, restarted bro, and it appears to be working. woo hoo!

I also had to make a couple additional mods to tunable kernel params:
# in /boot/loader.conf:
kern.ipc.nmbclusters="131072"
kern.ipc.nmbjumbo9="131072"
hw.igb.rxd="512"

# in /etc/sysctl.conf:
## Increase packet capture buffer sizes
net.bpf.maxbufsize=10485760
net.bpf.bufsize=10485760
## Increase socket buffer limits
kern.ipc.maxsockbuf=4194304

Which got rid of the "igb0: Could not setup receive structures" errors
at boot time (dmesg output). But I still have the "pcap bufsize = 0" in
each of the stderr.log log files.

I appreciate all the assistance folks!

-Chuck

On 6/17/11 1:00 PM, bro-request at bro-ids.org wrote:

> Today's Topics:
> 
>    1. Re: Pcap Buffer = 0 (Scott Sakai)
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 16 Jun 2011 12:28:11 -0700
> From: Scott Sakai <ssakai at sdsc.edu>
> Subject: Re: [Bro] Pcap Buffer = 0
> To: bro at bro-ids.org
> Message-ID: <4DFA594B.9080509 at sdsc.edu>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Chuck,
> 
> Just a thought: Is the traffic that you're (not) capturing vlan tagged?
> 
> tcpdump with the '-e' argument and no filter will tell you for sure.
> 
> If so, you need to load the vlan policy, otherwise libpcap will apply the
> filter rules to the wrong frame offsets.
> 
> 
> On 06/16/2011 10:08 AM, Chuck Little wrote:
>> Output:
>>
>> [rigel /raid/bro/bin]# ./broctl capstats
>>
>> Interface    kpps       mbps       (10s average)
>> ------------------------------
>> rigel-igb0   0.0        0.0
>> rigel-igb1   39.7       147.0
>> rigel-igb2   19.2       96.7
>> rigel-igb3   24.1       137.3
>> rigel-igb4   0.0        0.0
>> rigel-igb5   0.0        0.0
>>
>> Total        83.0       381.0
>>
>>
>> -Chuck
>>
>> On 6/16/11 11:02 AM, Justin Azoff wrote:
>>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>>>> traffic. I know I'm missing something (config setting, etc) but am
>>>> unsure what it is. I consulted teh Google but didn't have much luck.
>>>> Could someone provide some insight/advice? Thanks!
>>>>
>>>> -Chuck
>>>

More information about the Bro mailing list