[Bro] Unexplained Performance Differences Between Like Servers

Gilbert Clark gc355804 at ohio.edu
Fri Jun 13 07:45:28 PDT 2014 

Hi Justin:

> > Is the type of traffic in the 600 Mbps stream similar to the type of 
> traffic in the 700 Mbps stream?
> I'm not 100% sure but I think that is a really good question to ask. 
> Do you know of any good tools that might help inform an answer? I know 
> of iptraf for example, is there one that folks generally prefer the most?
bro ships with a utility called 'trace-summary' that will print some 
useful information about the trace.  It is written in Python (I think 
2.6+ should work fine, though someone can feel free to correct me if I'm 
wrong :).  Example run / output available below at [1], though the 
formatting is terrible without a monospace font.

Note that it's possible to run trace-summary against either bro log 
files (-C option) *or* a captured trace, so capturing a trace is not 
necessarily required in order to use the tool.  Additionally, if it's 
desired to run trace-summary against a trace directly, ipsumdump is 
required (http://www.read.seas.harvard.edu/~kohler/ipsumdump/).

Cheers,
Gilbert

[1] clarkg1-osx:trace-summary clarkg1$ python trace-summary 
~/net.2009.12.06.1159.dmp

 >== Total === 2009-12-06-15-00-10 - 2009-12-07-14-59-40
    - Bytes 150.6m - Payload 144.1m - Pkts 169.0k - Frags  88.5% - 
MBit/s      0.0 -
      Ports        | Sources                   | 
Destinations              | Services           | Protocols |
      80     88.0% | 198.189.255.76      22.5% | 192.168.1.103 45.0% 
|             100.0% | 6   90.5% |         |
      1119   23.0% | 192.168.1.105       13.2% | 192.168.1.105 19.6% 
|                    | 17   8.2% |         |
      1115    9.6% | 192.168.1.103       12.9% | 198.189.255.76 4.1% 
|                    | 1    0.0% |         |
      1817    5.9% | 198.189.255.74      10.8% | 192.168.1.255 2.3% 
|                    |           |         |
      49638   3.5% | 151.207.243.129      3.8% | 198.189.255.74 2.3% 
|                    |           |         |
      1117    3.4% | 192.168.1.1          3.4% | 151.207.243.129 2.2% 
|                    |           |         |
      626     3.4% | 74.125.164.32        2.8% | 192.168.1.1 1.8% 
|                    |           |         |
      137     3.2% | 74.125.164.91        2.1% | 224.0.0.1 1.7% 
|                    |           |         |
      53      2.9% | 192.168.1.104        1.9% | 192.168.1.104 1.5% 
|                    |           |         |
      49378   2.5% | 192.168.1.106        1.6% | 0.0.0.0 1.3% 
|                    |           |         |


First: 2009-12-06-15-00-10 (1260129610.426233) Last: 2009-12-07-14-59-40 
1260215980.426237

More information about the Bro mailing list