[Bro] dropped packets
sangdrax8
sangdrax8 at gmail.com
Tue Mar 4 08:02:06 PST 2014
I hate to ask about dropped packets again, as I feel it is a re-occurring
question... but I can't seem to figure out if this is a configuration issue
or just not enough hardware. I see people asking about massive pipes, but
I am not looking at a very large pipe here. using broctl's capstats, I
show:
kpps .3
mbps .6
The node that is dropping is a physical machine that doesn't appear to have
issues with memory or CPU. There are 2 bro processes in top, and both
generally are at or under 20% CPU utilization. The box keeps a load
average around .30, which generally would not make me believe it was over
taxed.
An example notice:
1393944936.832292 - - - - - - - - - PacketFilter::Dropped_Packets 11
packets dropped after filtering, 207913 received, 207913 on link - - - - -
ids-1 Notice::ACTION_LOG 3600.000000 F - - - - -
I was having issues with missed bytes, but that was resolved by turning off
offload settings on my nic. I rarely see any missed bytes now.
I have tried adjusting some settings, but I saw no improvements.
sysctl -w net.core.rmem_max=8388608
sysctl -w net.core.wmem_max=8388608
sysctl -w net.core.rmem_default=65536
sysctl -w net.core.wmem_default=65536
sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
sysctl -w net.ipv4.route.flush=1
I would appreciate any suggestions/comments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140304/4223d748/attachment.html
More information about the Bro
mailing list