[Bro] Dropped Packets

Martin Holste mcholste at gmail.com
Mon Jun 18 12:37:19 PDT 2012 

That's really interesting!  What about using a ramdisk (e.g. /dev/shm)
file system for logs being currently written to, then at the hour mark
(when the logs rollover), putting them on disk?  That should
theoretically take disk performance out of the equation, and I'd be
really interested in your numbers then.

On Mon, Jun 18, 2012 at 2:24 PM, Will Havlovick
<will.havlovick at zenimax.com> wrote:
> Update:
>
> I have found a way to lessen the amount of packets being dropped.
>
> Here is what I have:
> Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1
>
> Test scenario:
> Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
> One server for testing and one as a control.
> Both monitoring 2 Network Taps of live traffic.
>
> Test 1 : increased RAM to 8GB
> Result : same amount of packets dropped
>
> Test 2 : replaced hard drives with 2 10k drives in a RAID 1
> Result : 10% less packet drops  in bro logs as compared to the control server
>
> Test 3 : replaced hard drives with 2 SSD drives in a RAID 1
> Result :  80% less packet drops then the control server
>
> Test 4 : switched SSD hard drives to a RAID 0
> Result | 90% less packet drops then the control server
>
> I have heard that SSD drives have a shorter life span if it is written to a lot.  So this is probably not the best solution.
>
> But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.
>
> When I get the 15K SAS drives in I will run the same tests and put the results out.
>
>
> Will
>
> -----Original Message-----
> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
> Sent: Thursday, January 12, 2012 2:00 PM
> To: 'bro at bro-ids.org'
> Subject: [Bro] Dropped Packets
>
> Hi all,
>
> I recently upgraded 3 standalone Bro nodes.  2 of them are Ubuntu and one of them is CentOS 6.2.
>
> On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
> ---
> PacketFilter::Dropped_Packets   476 packets dropped after filtering, 52258 received, 52258 on link
> PacketFilter::Dropped_Packets   4914 packets dropped after filtering, 52785 received, 52785 on link
> PacketFilter::Dropped_Packets   3061 packets dropped after filtering, 35701 received, 35702 on link
> PacketFilter::Dropped_Packets   3371 packets dropped after filtering, 30573 received, 30591 on link
> ---
> broctl netstats
>       bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
>
> I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
> broargs = -l 9800
>
> Which does not appear to be part of the final release and did not work.
>
> The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
>
> Is there a way to reduce the amount of dropped packets?
>
> Also, I can provide more data if necessary.
>
> Thank you in advance,
>
>
> Will
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list