[Bro] Question about capture loss script vs. broctl netstats

Schoenefeld, Keith P. Keith_Schoenefeld at baylor.edu
Tue Jun 25 11:15:27 PDT 2013 

My understanding is that this indicates Bro is processing every packet it receives, but it is only receiving about 60% of the packets that are crossing the wire Bro is monitoring…

Do you have more information about the link you are tapping (bandwidth, packets/sec), the network card on the Bro box, and the specs of the Bro box?

-- KS

From: Derek Banks <itsecderek at gmail.com<mailto:itsecderek at gmail.com>>
Date: Tuesday, June 25, 2013 12:50 PM
To: "bro at bro-ids.org<mailto:bro at bro-ids.org>" <bro at bro-ids.org<mailto:bro at bro-ids.org>>
Subject: [Bro] Question about capture loss script vs. broctl netstats

I apologize if this has been answered already - I was searching through the list archives and did't seem to find the answer.

I have configured a RHEL 6 server with the latest Bro from the repository and pf_ring 5.2.2.

It seems pf_ring works - I run pfcount on my capture interface and it sees traffic and reports no packet loss.

I have Bro configured per the post at http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html and everything starts fine and Bro is up and running.

I run netstats in the Broctl shell and get:

worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222

But in the notice.log file I see:
1372179930.880560    -    -    -    -    -    -    CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 38.520%    -    -    -    -    -    worker-0-3    Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.908354    -    -    -    -    -    -    CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 37.415%    -    -    -    -    -    worker-0-4    Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.923939    -    -    -    -    -    -    CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 40.462%    -    -    -    -    -    worker-0-1    Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.923939    -    -    -    -    -    -    CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 42.910%    -    -    -    -    -    worker-0-2    Notice::ACTION_LOG    3600.000000    F    -    -    -    --

So my question is, am I dropping packets or am I good to go?

Best Regards,
Derek Banks

More information about the Bro mailing list