[Bro] My last issue I hope

Richards, James L - DOA James.Richards at wisconsin.gov
Fri Jun 21 07:23:54 PDT 2013 

Interesting...  I swear that these were at 0, but in looking at one node I am seeing what appear to be packets captured...  The one here is on the manager which is also running suricata I am seeing packets captured: But further below I am not seeing packets on the node, and the APPL Name is unknown...

On The MANAGER
richaj at utlmad0d0363:/proc/net/pf_ring$ more 32094-eth4.137
Bound Device(s)    : eth4
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX+TX
Appl. Name         : Suricata
IP Defragment      : No
BPF Filtering      : Disabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 128
Num Poll Calls     : 1534927
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 99
Slot Version       : 14 [5.4.6]
Min Num Slots      : 4889
Bucket Len         : 1514
Slot Len           : 1714 [bucket+header]
Tot Memory         : 8388608
Tot Packets        : 107648318
Tot Pkt Lost       : 672416
Tot Insert         : 106975907
Tot Read           : 106975798
Insert Offset      : 7698710
Remove Offset      : 7603240
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 4780

On the NODE:
richaj at utlmad0d0367:/proc/net/pf_ring$ more 8903-eth4.5
Bound Device(s)    : eth4
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX+TX
Appl. Name         : <unknown>
IP Defragment      : No
BPF Filtering      : Enabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 665709393
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 22
Slot Version       : 14 [5.4.6]
Min Num Slots      : 8159
Bucket Len         : 8192
Slot Len           : 8224 [bucket+header]
Tot Memory         : 67108864
Tot Packets        : 0
Tot Pkt Lost       : 0
Tot Insert         : 0
Tot Read           : 0
Insert Offset      : 0
Remove Offset      : 0
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 8159
richaj at utlmad0d0367:/proc/net/pf_ring$


James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880


-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu] 
Sent: Thursday, June 20, 2013 6:22 PM
To: Richards, James L - DOA
Cc: bro at bro.org
Subject: Re: [Bro] My last issue I hope

On Thu, Jun 20, 2013 at 10:31:55AM -0500, Richards, James L - DOA wrote:
> eth4      Link encap:Ethernet  HWaddr 00:1b:21:33:55:20
>           inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:330011101828 (330.0 GB)  TX bytes:468 (468.0 B)

You have something like this in your node.cfg ?

    interface=eth4
    lb_method=pf_ring
    lb_procs=4



-- 
-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list