[Bro] bro werid.log are very high

Zhai, Jim (MGS) Jim.Zhai at ontario.ca
Thu Aug 7 10:22:56 PDT 2014


>You're determining that number from capture-loss.log or something else?
Yes, we find this from capture-loss.log.   It used to be very low. But after upgrade 2.3 today, it jumps to 67%

>Did you mean that it merges the traffic?

Inbound and outbound merges

Regards,

Jim Zhai


-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: August-07-14 1:18 PM
To: Zhai, Jim (MGS)
Cc: bro at bro.org
Subject: Re: [Bro] bro werid.log are very high


On Aug 7, 2014, at 11:50 AM, Zhai, Jim (MGS) <Jim.Zhai at ontario.ca> wrote:

> Thanks Seth. We do have very high loss degree loss as well, over 60%.

You're determining that number from capture-loss.log or something else?

> We use the bridge-utils to bridge two interface eth1 and eth2 which does split the traffic.

Did you mean that it merges the traffic?

> We recently upgrade bro from 2.2 to 2.3 The capture loss used to be very low on 2.2. But the wried.log remain the same.  Just wondering if software bridge setting works in this situation?

Yeah, that should work fine.  It sounds like you might want to come up with a solution to your packet loss first.  Unfortunately I can't give you an answer without knowing more about your network and what your deploy looks like.  In most cases, 2.3 should actually be more efficient than 2.2.  There was some work done around identifying some major inefficiencies and addressing them.

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list