[Bro] missed bytes without gaps
sangdrax8
sangdrax8 at gmail.com
Wed Dec 18 05:51:19 PST 2013
On Wed, Dec 18, 2013 at 8:22 AM, Seth Hall <seth at icir.org> wrote:
>
> On Dec 18, 2013, at 7:57 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>
> > Using these two definitions, I see almost 40% of my packets fall into
> the "missed" streams, while around 60% fall into the non-missed. I was
> doing this to check my setup and see if I had everything working. From
> everything else (no gaps reported, and no almost no dropped packets) I
> thought everything was working. Now I question if something else is wrong,
> and so I am weary about using this to look at other data as it may not be
> complete.
>
> There are a lot of reasons that you could be missing traffic that have
> nothing to do with the packet drop statistics reported by your NIC. I have
> a guess about what's happening in your traffic though. Have you disabled
> the special features on your NIC? Refer to this blog post on how to do it
> on linux:
>
> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>
> If you want a much better mechanism to see if you're receiving all of the
> traffic you should be I recommend loading the misc/capture-loss script. By
> default it will write out to capture_loss.log every 15 minutes and due to
> it taking measurements of TCP streams themselves it can even detect packet
> loss occurring before the packets arrive at your monitoring interface. A
> number of people have detected faulty packet distribution boxes and
> overloaded switch SPAN ports with it.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
Wow thank you this was exactly my problem! I have turned these settings
off and in the last 5 minute window my missed bytes went from ~40% to 0%.
Perhaps a quick note in the doc's could point others to offloading features
in NIC's as well because this fixed everything for me!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131218/fc893b73/attachment.html
More information about the Bro
mailing list