[Bro] Bro Cluster Dropped Packets

Jesse Bowling jessebowling at gmail.com
Wed Apr 30 06:59:50 PDT 2014


Hello MK,

Would you happen to be running PF_RING 5.6.2? If so, you might want to join
in on this thread on the ntop-misc list:

http://www.gossamer-threads.com/lists/ntop/misc/34343

To speak more directly to the question you asked, you can certainly look at
the stats from ifconfig to see if your card is dropping packets (something
I'm seeing with the above issue), and you can also look at the stats in
/proc/net/pf_ring/${PID_FROM_EACH_BRO_WORKER}* . I'm not sure where any Bro
specific stats may be kept...

Cheers,

Jesse


On Wed, Apr 30, 2014 at 9:42 AM, M K <mkhan04 at gmail.com> wrote:

> Is there any way to determine the cause of dropped packets? I'm running
> Bro Cluster (2.2) on a single machine with 1 manager, 1 proxy and 10
> workers. The total number of workers is much less than the number of cpus
> in this machine (system load doesn't usually get higher than 2 and
> individual worker processes hover at around 30-40% cpu utilization). The
> machine has PF_Ring and related ethernet drivers installed. After looking
> at netstats there's always some dropped packets. The occasional dropped
> packet isn't usually a cause for concern but some workers show large
> numbers of dropped packets. I'd like to know what part of the process is
> bottle-necked and causing packets to be dropped.
>
>
> The documentation mentions that broctl cron logs stats but doesn't mention
> where they're located (didn't see anything in spool that looked like
> cluster runtime stats) or how to view the data.
>
> Anyone have any ideas?
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140430/5ae32569/attachment.html 


More information about the Bro mailing list