[Bro] missed bytes without gaps
Seth Hall
seth at icir.org
Wed Dec 18 05:22:48 PST 2013
On Dec 18, 2013, at 7:57 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> Using these two definitions, I see almost 40% of my packets fall into the "missed" streams, while around 60% fall into the non-missed. I was doing this to check my setup and see if I had everything working. From everything else (no gaps reported, and no almost no dropped packets) I thought everything was working. Now I question if something else is wrong, and so I am weary about using this to look at other data as it may not be complete.
There are a lot of reasons that you could be missing traffic that have nothing to do with the packet drop statistics reported by your NIC. I have a guess about what's happening in your traffic though. Have you disabled the special features on your NIC? Refer to this blog post on how to do it on linux:
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
If you want a much better mechanism to see if you're receiving all of the traffic you should be I recommend loading the misc/capture-loss script. By default it will write out to capture_loss.log every 15 minutes and due to it taking measurements of TCP streams themselves it can even detect packet loss occurring before the packets arrive at your monitoring interface. A number of people have detected faulty packet distribution boxes and overloaded switch SPAN ports with it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131218/ff83fcb7/attachment.bin
More information about the Bro
mailing list