[Bro] Packet Drops

Tom OBrion hammadog at gmail.com
Fri May 4 03:21:35 PDT 2012 

That is from the netstats via Bro.  Zero dropped packets via Nic stats.

Here is some stats from this AM with the following setup.

root at ptlsecsensor1:/home/secarch# /usr/local/bro/bin/broctl capstats

Interface            kpps       mbps       (10s average)
------------------------------
x.x.x.x/eth0     3.8        20.0

Total                3.8        20.0

worker-0: 1336126625.749682 recvd=263871 dropped=30023 link=293912
worker-1: 1336126625.997021 recvd=262510 dropped=30656 link=293227

[manager]
type=manager
host=x.x.x.x

[proxy-0]
type=proxy
host=x.x.x.x

[worker-0]
type=worker
host=x.x.x.x
interface=eth0

[worker-1]
type=worker
host=x.x.x.x
interface=eth0

We were unsure as the documentation mentioned 80mbps per CPU, so we
thought we would give pf_ring a run.  But at these rates I would not
think we would see drops.

Is netstats not telling the truth?  :)

We are just trying to get an idea of what these old IBM hardware can
do for us and are running into this.

Thanks very much for the assistance.

Tom



On Fri, May 4, 2012 at 12:26 AM, Martin Holste <mcholste at gmail.com> wrote:
> On moderate hardware, I've found that it takes about one CPU per 100
> Mb/sec, so you shouldn't be dropping at anything under that.  You
> probably also don't need PF_RING or any special kernel tunings at
> anything less than 200-300 Mb/sec, so that shouldn't be the problem
> either.  When you say dropped packets, is that per the Bro drop log,
> or the nic stats?
>
> On Thu, May 3, 2012 at 8:21 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>> On Thu, May 03, 2012 at 09:10:40PM -0400, Tom OBrion wrote:
>>> Need some thoughts from the LINUX/BRO gifted....
>>>
>>> Hardware:
>>>
>>> CPU: two - Intel(R) Xeon(TM) CPU 2.40GHz
>>> MEM: 2gig
>>> NIC's: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
>>>
>>> We  peak around 130mbps and at this time we are running around 10mbps.
>>>  No matter what speed we run at we continue to drop packets.  We have
>>> loaded pf_ring and load balanced across two NIC's based on Martin's
>>> BLOG:  http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
>>
>> Can you post the contents of the files in /proc/net/pf_ring/ for the bro
>> processes?  You should have one per bro worker.
>>
>>
>> --
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Tom O'Brion
TEL: 207.210.2167
Skype:

"Life is too short to spend time with people who suck the happy out of you."

More information about the Bro mailing list