[Bro] Dropped Packets

Tyler T. Schoenke tyler.schoenke at colorado.edu
Mon Jun 18 14:35:40 PDT 2012 

I don't mean to hijack the thread, but I just tried cluster versus
standalone and got some interesting results.  I tuned the cFlow to send
about 45 mbps to an interface on a particular worker.  Based on the
Dropped_Packets in notice.log, I see about 35% drop on the cluster for
this particular worker.  When I run standalone against the same
interface with the same filter I see between 0 and 1% dropped.  Very odd.

Here is some output from dstat -a --mem 5

----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system-->
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw >
 14   9  76   0   0   1|  26k  430k|   0     0 |   0     0 |  24k  132k>
 11   7  82   0   0   1|   0  8192B|  17M  141k|   0     0 |  65k   91k>
 12   6  81   0   0   1|   0  9011B|  10M   32k|   0     0 |  67k   91k>
 12   6  81   0   0   1|   0   282k|  19M  142k|   0     0 |  69k   90k>
 12   7  81   0   0   0|   0    33k|  13M   35k|   0     0 |  69k   89k>
 11   6  82   0   0   1|   0  1558k|  17M  124k|   0     0 |  63k   92k>
 12   7  81   0   0   0|   0  3403k|  11M   26k|   0     0 |  67k   92k>
 12   7  80   0   0   1|   0  9011B|  23M  158k|   0     0 |  69k   91k>
 12   6  82   0   0   1|   0  9011B|  11M   33k|   0     0 |  67k   90k>
 12   6  80   0   0   1|   0   258k|  23M  125k|   0     0 |  69k   89k>
 13   7  80   0   0   0|   0  9011B|  13M   26k|   0     0 |  66k   91k>
 11   7  81   0   0   0|   0   490k|  17M  155k|   0     0 |  66k   91k>
 12   6  81   0   0   1|   0  4980k|  10M   29k|   0     0 |  67k   91k>^C

My dstat doesn't have the --disk-tps parameter (plug-in) that Justin
mentioned.  Do any of the values look too large?

Tyler

--
Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder

On 6/18/12 2:22 PM, Seth Hall wrote:
> 
> On Jun 18, 2012, at 4:01 PM, Will Havlovick wrote:
> 
>> Per broctl>capstats,  I was averaging between 15-45mbps.
> 
> 
> Hm, that seems like an oddly low amount of traffic to see drops on a
> box like you have.
> 
> Could you also try the current master branch in our repository?  The
> logging framework has been threaded and it's likely that disk latency
> issues have been resolved to some degree.  Also, I assume these were
> running Bro in standalone mode?  When running in a cluster this
> shouldn't have nearly so much effect because the manager process does
> all of the log writing and it doesn't do any packet processing.
> 
> .Seth
> 
> -- Seth Hall International Computer Science Institute (Bro) because
> everyone has a network http://www.bro-ids.org/
> 
> 
> _______________________________________________ Bro mailing list 
> bro at bro-ids.org 
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
>

More information about the Bro mailing list