[Bro] missed bytes without gaps
sangdrax8
sangdrax8 at gmail.com
Wed Dec 18 04:57:49 PST 2013
I am confused on how I am getting "missed_bytes." When I read the
documentation it says that these are due to content gaps, and is caused by
packet loss. So I have tried to look for signs of this, but I have yet to
find anything that shows content gaps or any significant packet loss. I
see no mention of content gaps in my notices.log file, and my packet loss
report from broctl shows almost no dropped packets (recvd=2770338
dropped=92 link=2770430)
Perhaps I am looking at this wrong, so if someone could help out here it
would be greatly appreciated. I am logging correct streams, vs streams
with missed bytes, to see how often these missed bytes show up. To do this
I am filtering my logs in the following way
Missed: only looking at bro_conn, orig_bytes AND resp_bytes > 0, only TCP
packets, missed_bytes > 0
Non-missed: only looking at bro_conn, orig_bytes AND resp_bytes > 0, only
TCP packets, missed_bytes = 0
Using these two definitions, I see almost 40% of my packets fall into the
"missed" streams, while around 60% fall into the non-missed. I was doing
this to check my setup and see if I had everything working. From
everything else (no gaps reported, and no almost no dropped packets) I
thought everything was working. Now I question if something else is wrong,
and so I am weary about using this to look at other data as it may not be
complete.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131218/9829f795/attachment.html
More information about the Bro
mailing list