[Bro] missed bytes without gaps

sangdrax8 sangdrax8 at gmail.com
Wed Dec 18 05:51:19 PST 2013 

On Wed, Dec 18, 2013 at 8:22 AM, Seth Hall <seth at icir.org> wrote:

>
> On Dec 18, 2013, at 7:57 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>
> > Using these two definitions, I see almost 40% of my packets fall into
> the "missed" streams, while around 60% fall into the non-missed.  I was
> doing this to check my setup and see if I had everything working.  From
> everything else (no gaps reported, and no almost no dropped packets) I
> thought everything was working.  Now I question if something else is wrong,
> and so I am weary about using this to look at other data as it may not be
> complete.
>
> There are a lot of reasons that you could be missing traffic that have
> nothing to do with the packet drop statistics reported by your NIC.  I have
> a guess about what's happening in your traffic though.  Have you disabled
> the special features on your NIC?  Refer to this blog post on how to do it
> on linux:
>
> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>
> If you want a much better mechanism to see if you're receiving all of the
> traffic you should be I recommend loading the misc/capture-loss script.  By
> default it will write out to capture_loss.log every 15 minutes and due to
> it taking measurements of TCP streams themselves it can even detect packet
> loss occurring before the packets arrive at your monitoring interface.  A
> number of people have detected faulty packet distribution boxes and
> overloaded switch SPAN ports with it.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>

Wow thank you this was exactly my problem!  I have turned these settings
off and in the last 5 minute window my missed bytes went from ~40% to 0%.

Perhaps a quick note in the doc's could point others to offloading features
in NIC's as well because this fixed everything for me!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131218/fc893b73/attachment.html

More information about the Bro mailing list