[Bro] Question about capture loss script vs. broctl netstats
Alex Waher
alexwis at gmail.com
Thu Jun 27 11:00:53 PDT 2013
If you're seeing nearly 50% of dropped traffic, perhaps the SPAN session is
monitoring one direction of traffic flow across a NAT'd interface or proxy
server? On the external interface monitoring inbound, and on the internal
interface monitoring inbound? Any introduction of non bi-directional
traffic would very likely confuse the capture loss script.
On Thu, Jun 27, 2013 at 6:09 AM, Vern Paxson <vern at icir.org> wrote:
> As seth mentions, the capture-loss script is quite robust, because it
> essentially computes an end-to-end value. I don't know of any situations
> where in practice it makes poor estimates. These stats:
>
> > worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
> > worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
> > worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
> > worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222
>
> on the other hand come from the kernel's statistics. If packets are lost
> prior to the kernel even seeing them (such as due to an overwhelmed SPAN
> port - quite common), then while it reports no drops, that's not a
> useful end-to-end measure. (Also, some kernels have bugs in how these
> statistics are captured, for example missing out on packets dropped by
> the NIC rather than the kernel.)
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130627/a48f12b7/attachment.html
More information about the Bro
mailing list