[Bro] Dropped Packets
Will Havlovick
will.havlovick at zenimax.com
Tue Jun 19 06:16:31 PDT 2012
Thank you all for the suggestions.
I will begin testing the different options and email out the results.
Will
-----Original Message-----
From: William Jones [mailto:jones at tacc.utexas.edu]
Sent: Tuesday, June 19, 2012 12:43 AM
To: Will Havlovick; 'bro at bro-ids.org'
Subject: RE: Dropped Packets
If you running bro on linux, without pf_ring, try increasing net.core-rmem_default:
For 10GigE nic
net.core.rmem_max = 500000000
net.core.rmem_default = 500000000
For 1 GigE nics
net.core.rmem_max = 50000000
net.core.rmem_default = 50000000
Bill Jones
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
Sent: Monday, June 18, 2012 2:25 PM
To: 'bro at bro-ids.org'
Subject: Re: [Bro] Dropped Packets
Update:
I have found a way to lessen the amount of packets being dropped.
Here is what I have:
Dell r310 - 3.2Ghz - 4GB RAM - Dell hardware RAID controller - two 1TB 7.2k drives in a RAID 1
Test scenario:
Two bro2.0 servers running virtually identical configs with Ubuntu 11.10.
One server for testing and one as a control.
Both monitoring 2 Network Taps of live traffic.
Test 1 : increased RAM to 8GB
Result : same amount of packets dropped
Test 2 : replaced hard drives with 2 10k drives in a RAID 1 Result : 10% less packet drops in bro logs as compared to the control server
Test 3 : replaced hard drives with 2 SSD drives in a RAID 1 Result : 80% less packet drops then the control server
Test 4 : switched SSD hard drives to a RAID 0 Result | 90% less packet drops then the control server
I have heard that SSD drives have a shorter life span if it is written to a lot. So this is probably not the best solution.
But, from now on I will order servers with the fastest possible hard drives which for the Dell r310 are 15K SAS drives.
When I get the 15K SAS drives in I will run the same tests and put the results out.
Will
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Will Havlovick
Sent: Thursday, January 12, 2012 2:00 PM
To: 'bro at bro-ids.org'
Subject: [Bro] Dropped Packets
Hi all,
I recently upgraded 3 standalone Bro nodes. 2 of them are Ubuntu and one of them is CentOS 6.2.
On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
---
PacketFilter::Dropped_Packets 476 packets dropped after filtering, 52258 received, 52258 on link
PacketFilter::Dropped_Packets 4914 packets dropped after filtering, 52785 received, 52785 on link
PacketFilter::Dropped_Packets 3061 packets dropped after filtering, 35701 received, 35702 on link
PacketFilter::Dropped_Packets 3371 packets dropped after filtering, 30573 received, 30591 on link
---
broctl netstats
bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
broargs = -l 9800
Which does not appear to be part of the final release and did not work.
The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
Is there a way to reduce the amount of dropped packets?
Also, I can provide more data if necessary.
Thank you in advance,
Will
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list