[Bro] Dropped Packets

Hank Leininger hlein at korelogic.com
Mon Jun 18 13:24:54 PDT 2012


On Mon, Jun 18, 2012 at 02:37:19PM -0500, Martin Holste wrote:
> That's really interesting!  What about using a ramdisk (e.g. /dev/shm)
> file system for logs being currently written to, then at the hour mark
> (when the logs rollover), putting them on disk?  That should
> theoretically take disk performance out of the equation, and I'd be
> really interested in your numbers then.

Along those lines, you could experiment with various filesystem
robustness-performance tradeoffs.  For instance, assuming you're running
ext4 filesystems, you could try any/all of these mount-time/fstab options:

  noatime,barrier=0,data=writeback

...with the related caveats about what you're giving up (man mount).

Hank

> On Mon, Jun 18, 2012 at 2:24 PM, Will Havlovick
> <will.havlovick at zenimax.com> wrote:
> > Update:
> >
> > I have found a way to lessen the amount of packets being dropped.
> >
> > Here is what I have:
> > Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1
> >
> > Test scenario:
> > Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
> > One server for testing and one as a control.
> > Both monitoring 2 Network Taps of live traffic.
> >
> > Test 1 : increased RAM to 8GB
> > Result : same amount of packets dropped
> >
> > Test 2 : replaced hard drives with 2 10k drives in a RAID 1
> > Result : 10% less packet drops ?in bro logs as compared to the control server
> >
> > Test 3 : replaced hard drives with 2 SSD drives in a RAID 1
> > Result : ?80% less packet drops then the control server
> >
> > Test 4 : switched SSD hard drives to a RAID 0
> > Result | 90% less packet drops then the control server
> >
> > I have heard that SSD drives have a shorter life span if it is written to a lot. ?So this is probably not the best solution.
> >
> > But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.
> >
> > When I get the 15K SAS drives in I will run the same tests and put the results out.
> >
> >
> > Will
> >
> > -----Original Message-----
> > From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
> > Sent: Thursday, January 12, 2012 2:00 PM
> > To: 'bro at bro-ids.org'
> > Subject: [Bro] Dropped Packets
> >
> > Hi all,
> >
> > I recently upgraded 3 standalone Bro nodes. ?2 of them are Ubuntu and one of them is CentOS 6.2.
> >
> > On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
> > ---
> > PacketFilter::Dropped_Packets ? 476 packets dropped after filtering, 52258 received, 52258 on link
> > PacketFilter::Dropped_Packets ? 4914 packets dropped after filtering, 52785 received, 52785 on link
> > PacketFilter::Dropped_Packets ? 3061 packets dropped after filtering, 35701 received, 35702 on link
> > PacketFilter::Dropped_Packets ? 3371 packets dropped after filtering, 30573 received, 30591 on link
> > ---
> > broctl netstats
> > ? ? ? bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
> >
> > I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
> > broargs = -l 9800
> >
> > Which does not appear to be part of the final release and did not work.
> >
> > The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
> >
> > Is there a way to reduce the amount of dropped packets?
> >
> > Also, I can provide more data if necessary.
> >
> > Thank you in advance,
> >
> >
> > Will
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Hank Leininger <hlein at korelogic.com>
D24D 2C2A F3AC B9AE CD03  B506 2D57 32E1 686B 6DB3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 447 bytes
Desc: Digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120618/b0f34252/attachment.bin 


More information about the Bro mailing list