[Bro] Troubleshooting crashes
Tyler T. Schoenke
tyler.schoenke at colorado.edu
Mon Sep 17 12:56:16 PDT 2012
On 9/11/12 2:34 PM, Tritium Cat wrote:
> > 614589 data_before_established
> > 585445 possible_split_routing
>
> I'm a little curious about these two. Normally lots of these lines
> indicates that something is wrong with how Bro is collecting
> packets. I'm interested to find out if these go away when you adapt
> the snap length. Is the MTU of your network actually 9600 or did
> you just set that MTU for the interface to the maximum it would allow?
>
I was seeing a lot of these as well. I am mirroring two ports, hence a
lot of duplicate traffic. Are you doing something similar? When I had
my networking engineer turn off one of the mirrored ports, I saw a 60%
reduction in data_before_established and 66% decrease in
possible_split_routing. I'm comparing data between the same hour on
Thursday and Friday, so some of that drop is related to a normal drop in
traffic, but most is probably turning off the mirror.
Tyler
More information about the Bro
mailing list