[Bro] bro werid.log are very high
Zhai, Jim (MGS)
Jim.Zhai at ontario.ca
Thu Aug 7 08:50:32 PDT 2014
Thanks Seth. We do have very high loss degree loss as well, over 60%. We use the bridge-utils to bridge two interface eth1 and eth2 which does split the traffic. We currently just monitoring br0 interface. We recently upgrade bro from 2.2 to 2.3 The capture loss used to be very low on 2.2. But the wried.log remain the same. Just wondering if software bridge setting works in this situation?
Regards,
Jim Zhai
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: August-07-14 11:42 AM
To: Zhai, Jim (MGS)
Cc: bro at bro.org
Subject: Re: [Bro] bro werid.log are very high
On Aug 7, 2014, at 11:17 AM, Zhai, Jim (MGS) <Jim.Zhai at ontario.ca> wrote:
> Just wondering why werid.log are very high volume. There is a lot of "possible_split_routing" in werid.log. How to get rid of this issue?
It's very possible that you have split routing on your network. In other words, you might only be seeing one direction of traffic because the other direction of traffic is going on a route that you aren't seeing (another router for example).
Are you loading the misc/capture-loss.bro script? It's possible that could be cause by a high degree of packet loss as well.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list