[Bro] Dropped Packets

Jeremy Hoel jthoel at gmail.com
Mon Jun 18 12:47:44 PDT 2012 

What was the network speeds you had been seeing during these tests?

On Mon, Jun 18, 2012 at 7:37 PM, Martin Holste <mcholste at gmail.com> wrote:
> That's really interesting!  What about using a ramdisk (e.g. /dev/shm)
> file system for logs being currently written to, then at the hour mark
> (when the logs rollover), putting them on disk?  That should
> theoretically take disk performance out of the equation, and I'd be
> really interested in your numbers then.
>
> On Mon, Jun 18, 2012 at 2:24 PM, Will Havlovick
> <will.havlovick at zenimax.com> wrote:
>> Update:
>>
>> I have found a way to lessen the amount of packets being dropped.
>>
>> Here is what I have:
>> Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1
>>
>> Test scenario:
>> Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
>> One server for testing and one as a control.
>> Both monitoring 2 Network Taps of live traffic.
>>
>> Test 1 : increased RAM to 8GB
>> Result : same amount of packets dropped
>>
>> Test 2 : replaced hard drives with 2 10k drives in a RAID 1
>> Result : 10% less packet drops  in bro logs as compared to the control server
>>
>> Test 3 : replaced hard drives with 2 SSD drives in a RAID 1
>> Result :  80% less packet drops then the control server
>>
>> Test 4 : switched SSD hard drives to a RAID 0
>> Result | 90% less packet drops then the control server
>>
>> I have heard that SSD drives have a shorter life span if it is written to a lot.  So this is probably not the best solution.
>>
>> But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.
>>
>> When I get the 15K SAS drives in I will run the same tests and put the results out.
>>
>>
>> Will
>>
>> -----Original Message-----
>> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
>> Sent: Thursday, January 12, 2012 2:00 PM
>> To: 'bro at bro-ids.org'
>> Subject: [Bro] Dropped Packets
>>
>> Hi all,
>>
>> I recently upgraded 3 standalone Bro nodes.  2 of them are Ubuntu and one of them is CentOS 6.2.
>>
>> On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
>> ---
>> PacketFilter::Dropped_Packets   476 packets dropped after filtering, 52258 received, 52258 on link
>> PacketFilter::Dropped_Packets   4914 packets dropped after filtering, 52785 received, 52785 on link
>> PacketFilter::Dropped_Packets   3061 packets dropped after filtering, 35701 received, 35702 on link
>> PacketFilter::Dropped_Packets   3371 packets dropped after filtering, 30573 received, 30591 on link
>> ---
>> broctl netstats
>>       bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
>>
>> I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
>> broargs = -l 9800
>>
>> Which does not appear to be part of the final release and did not work.
>>
>> The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
>>
>> Is there a way to reduce the amount of dropped packets?
>>
>> Also, I can provide more data if necessary.
>>
>> Thank you in advance,
>>
>>
>> Will
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list