[Bro] Dropping all packets, but not crashed?
Jesse Bowling
jessebowling at gmail.com
Fri Mar 8 10:51:27 PST 2013
I noticed today while reviewing my notice.log that one worker thread has
been consistently dropping all packets that it received...The status
indicated that it was running, and a restart of the worker did not indicate
that anything was crashed or that it exited oddly...After using broctl to
restart the worker, no more notices...
I imagine it's too late to gather more info about this now, but if the
situation should present itself again, how would I gather the most debug
information to try to find out why? Are there settings I should turn on
now, or commands I should run at the time? strace, gdb, etc?
Is it too late to get more info about why this was happening?
I also just happened to visit the securityonion page and notice this at the
top:
"An issue was recently discovered in Bro 2.1 when monitoring multiple
interfaces with PF_RING that could result in traffic loss. This issue is
targeted for resolution in Bro 2.2. In the meantime, if you're monitoring
multiple interfaces with Bro, please disable Bro's PF_RING load balancing
as follows:"
This could perhaps describe my situation....Anyone have any more specifics
on this?
Cheers,
Jesse
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130308/d3cc1359/attachment.html
More information about the Bro
mailing list