[Bro] Packet Drops

Tom OBrion hammadog at gmail.com
Wed May 9 10:16:21 PDT 2012 

Well I finally got some time to work on this dude.

I started with a fresh build of Ubuntu 10.10 server all up to snuff.
Loaded only Bro with a single tap.  Drops started right off the bat.
So I updated my intel driver to the latest and restarted bro.  Drops
still happening.  I loaded capture-loss and I assume you wanted some
date out of the notice.log about the packet drops?

Here is a small snippet of a couple.  They are pretty frequent.

1336583347.593837	-	-	-	-	-	-	PacketFilter::Dropped_Packets	93989
packets dropped after filtering, 249946 received, 249946 on
link	-	-	-	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
1336583357.594487	-	-	-	-	-	-	PacketFilter::Dropped_Packets	73508
packets dropped after filtering, 227808 received, 227808 on
link	-	-	-	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
1336583367.594936	-	-	-	-	-	-	PacketFilter::Dropped_Packets	82349
packets dropped after filtering, 234476 received, 234476 on
link	-	-	-	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-

Current traffic on the monitor port:

Interface            kpps       mbps       (10s average)
------------------------------
localhost/eth1       22.8       121.5

Any other thoughts other than drop kick the bay into the dumpster!  hehe

Thanks

Tom


On Fri, May 4, 2012 at 9:58 AM, Seth Hall <seth at icir.org> wrote:
>
> On May 4, 2012, at 6:21 AM, Tom OBrion wrote:
>
>> worker-0: 1336126625.749682 recvd=263871 dropped=30023 link=293912
>> worker-1: 1336126625.997021 recvd=262510 dropped=30656 link=293227
>
> Are you running "misc/capture-loss"?  That should provide a much more holistic view of packet loss because it's not relying on anything other than characteristics of the actual traffic to tell you if packets are being lost.  It doesn't tell you where the packet loss is happening and could mean a very large number of things, but it's a good place to start.
>
>> We were unsure as the documentation mentioned 80mbps per CPU, so we
>> thought we would give pf_ring a run.  But at these rates I would not
>> think we would see drops.
>
> I was really conflicted when I wrote 80Mbps in that documentation.  There is really no good way to figure out what that will be.  With reasonably fast, modern Xeon CPUs people seem to be getting ~150Mbps per core now but you need to take value with a grain of salt too since it depends so heavily on your traffic mix
>
>> Is netstats not telling the truth?  :)
>
> That question is really hard to answer, especially if you are running pf_ring where the normal Linux packet processing pipeline is being bypassed.
>
>> We are just trying to get an idea of what these old IBM hardware can
>> do for us and are running into this.
>
> You didn't mention that it's old hardware. :)  What's the architecture?  How many cores does the box have total?
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>

More information about the Bro mailing list