[Bro] dropped packets

sangdrax8 sangdrax8 at gmail.com
Thu Mar 6 04:33:13 PST 2014


Well, that explains the interval.  The example I posted was one of the
smallest loss amounts, but what is an acceptable or expected loss level?
 In the last 6 hours my setup does have a 1448 out of 206031, or .7%.  So
.005% seems small, is .7% small?

I am running the default local.bro, and it does have misc/scan loaded.  I
turn that off and see if I still see loss, but if 1% or less is considered
normal loss even for a low load and small traffic, then I guess it is less
important.


On Wed, Mar 5, 2014 at 9:21 PM, Seth Hall <seth at icir.org> wrote:

>
> On Mar 4, 2014, at 11:02 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>
> > 1393944936.832292     -       -       -       -       -       -       -
>       -       -       PacketFilter::Dropped_Packets   11 packets dropped
> after filtering, 207913 received, 207913 on link     -       -       -
>   -       -       ids-1   Notice::ACTION_LOG      3600.000000     F       -
>       -       -       -       -
>
> Turns out...
>
> PacketFilter::stats_collection_interval is 5 mins by default.  You're
> seeing it reported every 5 minutes because that's the reporting interval. :)
>
> If you look into the percentage of traffic you're seeing reported as lost,
> it's actually 0.005% which isn't really that bad.  Granted, it doesn't
> explain *why* you had a few packets reported as lost but in the grand
> scheme of things it's really not that bad.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140306/91f8e6a0/attachment.html 


More information about the Bro mailing list