[Bro] Bro 2.0 packets dropped
Machiel van Veen
mvv at sentia.nl
Fri Feb 3 07:18:29 PST 2012
On Friday 03 February 2012 14:52:11 Seth Hall wrote:
> On Feb 3, 2012, at 8:38 AM, Machiel van Veen wrote:
> > Besides tuning the receive buffer and queue length is there anything else
> > I can do about this?
> >
> > worker-1: 1328274953.996680 recvd=129059158 dropped=114860 link=129174018
> > worker-2: 1328274954.197859 recvd=129059218 dropped=115120 link=129174338
> > worker-3: 1328274954.397642 recvd=129052866 dropped=122170 link=129175036
>
> Are you monitoring 3 separate links on three interfaces? I'm a little
> suspicious that you may be monitoring the same traffic three separate
> times. You will need to load balance the traffic across those three
> workers if it's a single interface (I'm working on automating this now).
It is one interface, there might be a problem load balancing. I've switched to
a standalone setup for now.
"listening on eth1, capture length 8192 bytes"
"bro: 1328281729.277621 recvd=3553337 dropped=4503 link=3557842"
The packetloss is still there though.
>
> Could you add a line to load the misc/capture-loss script to your
> local.bro? @load misc/capture-loss
>
> After you do that, make sure you do "check", "install", "restart" in
> broctl. The capture-loss script will give you another measure of packet
> loss that is not based on information being received from the NIC.
>From the alarm summary:
"2012-02-03-15:39:46 CaptureLoss::Too_Much_Loss
The capture loss script detected an estimated loss rate above 27.282%"
> Oh, that brings up another question. What NICs are you using?
Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz
driver: bnx2
version: 2.1.11
firmware-version: bc 4.6.0 ipms 1.6.0
>
> .Seth
>
Thanks again, Machiel.
More information about the Bro
mailing list