[Bro] Bro 2.0 packets dropped
Seth Hall
seth at icir.org
Fri Feb 3 05:52:11 PST 2012
On Feb 3, 2012, at 8:38 AM, Machiel van Veen wrote:
> Besides tuning the receive buffer and queue length is there anything else I
> can do about this?
>
> worker-1: 1328274953.996680 recvd=129059158 dropped=114860 link=129174018
> worker-2: 1328274954.197859 recvd=129059218 dropped=115120 link=129174338
> worker-3: 1328274954.397642 recvd=129052866 dropped=122170 link=129175036
Are you monitoring 3 separate links on three interfaces? I'm a little suspicious that you may be monitoring the same traffic three separate times. You will need to load balance the traffic across those three workers if it's a single interface (I'm working on automating this now).
Could you add a line to load the misc/capture-loss script to your local.bro?
@load misc/capture-loss
After you do that, make sure you do "check", "install", "restart" in broctl. The capture-loss script will give you another measure of packet loss that is not based on information being received from the NIC. Oh, that brings up another question. What NICs are you using?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list