[Bro] Bro 2.0 packets dropped
William Jones
jones at tacc.utexas.edu
Mon Feb 6 11:30:22 PST 2012
Here my problem. I have a single server and a defined 10 works on it to divided up the load. Here the output of "broctl status"
root at homey manager]# broctl status
Name Type Host Status Pid Peers Started
manager manager homey.tacc.utexas.edu running 6202 11 05 Feb 15:22:15
proxy-1 proxy homey.tacc.utexas.edu running 6237 11 05 Feb 15:22:17
worker-1 worker mojo1.tacc.utexas.edu running 18356 2 05 Feb 15:26:41
worker-10 worker mojo1.tacc.utexas.edu running 18350 2 05 Feb 15:26:41
worker-2 worker mojo1.tacc.utexas.edu running 18348 2 05 Feb 15:26:41
worker-3 worker mojo1.tacc.utexas.edu running 18349 2 05 Feb 15:26:41
worker-4 worker mojo1.tacc.utexas.edu running 18357 2 05 Feb 15:26:41
worker-5 worker mojo1.tacc.utexas.edu running 18352 2 05 Feb 15:26:41
worker-6 worker mojo1.tacc.utexas.edu running 18353 2 05 Feb 15:26:41
worker-7 worker mojo1.tacc.utexas.edu running 18354 2 05 Feb 15:26:41
worker-8 worker mojo1.tacc.utexas.edu running 18355 2 05 Feb 15:26:41
worker-9 worker mojo1.tacc.utexas.edu running 18351 2 05 Feb 15:26:41
I now add woker-11 to to the configuration and "bro status" returns:
BroControl] > status
Name Type Host Status Pid Peers Started
manager manager homey.tacc.utexas.edu running 29316 12 06 Feb 13:16:59
proxy-1 proxy homey.tacc.utexas.edu running 29351 12 06 Feb 13:17:01
worker-1 worker mojo1.tacc.utexas.edu running 25026 2 06 Feb 13:17:06
worker-10 worker mojo1.tacc.utexas.edu running 25028 2 06 Feb 13:17:06
worker-11 worker mojo1.tacc.utexas.edu running 25033 2 06 Feb 13:17:06
worker-2 worker mojo1.tacc.utexas.edu running 25032 2 06 Feb 13:17:06
worker-3 worker mojo1.tacc.utexas.edu running 25025 2 06 Feb 13:17:06
worker-4 worker mojo1.tacc.utexas.edu running 25031 2 06 Feb 13:17:06
worker-5 worker mojo1.tacc.utexas.edu running 25029 2 06 Feb 13:17:06
worker-6 worker mojo1.tacc.utexas.edu running 25027 2 06 Feb 13:17:06
worker-7 worker mojo1.tacc.utexas.edu running 25034 2 06 Feb 13:17:06
worker-8 worker mojo1.tacc.utexas.edu running 25030 2 06 Feb 13:17:06
worker-9 worker mojo1.tacc.utexas.edu running 25036 ??? 06 Feb 13:17:06
Notice the ???. It an indication that something is not working correct;y the bro communication library.
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Seth Hall
Sent: Monday, February 06, 2012 12:55 PM
To: Machiel van Veen
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro 2.0 packets dropped
On Feb 3, 2012, at 10:18 AM, Machiel van Veen wrote:
> It is one interface, there might be a problem load balancing. I've switched to
> a standalone setup for now.
If you aren't taking any steps to load balance the traffic then it definitely isn't working. We don't have automated load balanced configuration available in BroControl yet. :)
Today, I did just write a script that automates a BPF based load balancing technique on clusters which will be getting merged in along with the rest of the automated load balancing code soon.
> "bro: 1328281729.277621 recvd=3553337 dropped=4503 link=3557842"
> "2012-02-03-15:39:46 CaptureLoss::Too_Much_Loss
> The capture loss script detected an estimated loss rate above 27.282%"
Are sniffing from a tap or a SPAN port? I'm a little suspicious because the first line indicates that the NIC was showing 0.1% packet loss, but the second line indicates much more loss. The misc/capture-loss.bro script can detect loss due to reasons beyond the monitoring host (like an overloaded SPAN port) so I'm just trying to figure out where there is a such a huge disparity between the two measurements.
Oh, one other thought. Are you disabling all of the offload features of your NIC? Here's an article about it:
1. http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
Is the MTU on your NIC larger than 8192 (Bro 2.0's default snaplen). If there are packets larger than that they won't be seen by default.
>> Oh, that brings up another question. What NICs are you using?
>
> Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz
> driver: bnx2
> version: 2.1.11
> firmware-version: bc 4.6.0 ipms 1.6.0
I usually recommend not using Broadcom nics for monitoring. At times with various broadcom nics I've run into weird problems so I tend to avoid them.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list