[Bro] Packet Drops

Tom OBrion hammadog at gmail.com
Fri May 4 03:28:46 PDT 2012


Via tcpdump

1995 packets captured
1995 packets received by filter
14731 packets dropped by kernel

On Fri, May 4, 2012 at 12:26 AM, Martin Holste <mcholste at gmail.com> wrote:
> On moderate hardware, I've found that it takes about one CPU per 100
> Mb/sec, so you shouldn't be dropping at anything under that.  You
> probably also don't need PF_RING or any special kernel tunings at
> anything less than 200-300 Mb/sec, so that shouldn't be the problem
> either.  When you say dropped packets, is that per the Bro drop log,
> or the nic stats?
>
> On Thu, May 3, 2012 at 8:21 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>> On Thu, May 03, 2012 at 09:10:40PM -0400, Tom OBrion wrote:
>>> Need some thoughts from the LINUX/BRO gifted....
>>>
>>> Hardware:
>>>
>>> CPU: two - Intel(R) Xeon(TM) CPU 2.40GHz
>>> MEM: 2gig
>>> NIC's: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
>>>
>>> We  peak around 130mbps and at this time we are running around 10mbps.
>>>  No matter what speed we run at we continue to drop packets.  We have
>>> loaded pf_ring and load balanced across two NIC's based on Martin's
>>> BLOG:  http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
>>
>> Can you post the contents of the files in /proc/net/pf_ring/ for the bro
>> processes?  You should have one per bro worker.
>>
>>
>> --
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Tom O'Brion
TEL: 207.210.2167
Skype:

"Life is too short to spend time with people who suck the happy out of you."




More information about the Bro mailing list