[Bro] Dropping all packets, but not crashed?

Jesse Bowling jessebowling at gmail.com
Fri Mar 8 11:03:06 PST 2013 

Thanks Scott!

I'm due for an upgrade on PF_RING so knowing this might be related is more
fuel to the fire.

Cheers,

Jesse

On Fri, Mar 8, 2013 at 2:00 PM, Scott Campbell <scampbell at lbl.gov> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We saw a very similar thing here - there ended up being an issue with
> PF_RING < 5.5.2 where corrupted VLAN tagged packets caused the exact
> situation you describe.  We were seeing this 2-3 times a day.
>
> I upgraded the PF_RING to 5.2.2 and the issue went away.  This problem
> is listed in the ChangeLog as well.
>
> cheers,
> scott
>
> On 3/8/13 12:51 PM, Jesse Bowling wrote:
> > I noticed today while reviewing my notice.log that one worker
> > thread has been consistently dropping all packets that it
> > received...The status indicated that it was running, and a restart
> > of the worker did not indicate that anything was crashed or that it
> > exited oddly...After using broctl to restart the worker, no more
> > notices...
> >
> > I imagine it's too late to gather more info about this now, but if
> > the situation should present itself again, how would I gather the
> > most debug information to try to find out why? Are there settings I
> > should turn on now, or commands I should run at the time? strace,
> > gdb, etc?
> >
> > Is it too late to get more info about why this was happening?
> >
> > I also just happened to visit the securityonion page and notice
> > this at the top:
> >
> > "An issue was recently discovered in Bro 2.1 when monitoring
> > multiple interfaces with PF_RING that could result in traffic loss.
> > This issue is targeted for resolution in Bro 2.2.  In the meantime,
> > if you're monitoring multiple interfaces with Bro, please disable
> > Bro's PF_RING load balancing as follows:"
> >
> > This could perhaps describe my situation....Anyone have any more
> > specifics on this?
> >
> > Cheers,
> >
> > Jesse
> >
> >
> >
> > _______________________________________________ Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iD8DBQFROjVcK2Plq8B7ZBwRAtDWAJ9YDKTJ4M8bxzyEiSbLpI1ycWj3/QCgrUeU
> sqoCq0UeO7DA1JQ1H/tOweo=
> =wLLG
> -----END PGP SIGNATURE-----
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130308/260cb5bc/attachment.html

More information about the Bro mailing list