[Bro] dropped packets
sangdrax8
sangdrax8 at gmail.com
Thu Mar 6 04:33:13 PST 2014
Well, that explains the interval. The example I posted was one of the
smallest loss amounts, but what is an acceptable or expected loss level?
In the last 6 hours my setup does have a 1448 out of 206031, or .7%. So
.005% seems small, is .7% small?
I am running the default local.bro, and it does have misc/scan loaded. I
turn that off and see if I still see loss, but if 1% or less is considered
normal loss even for a low load and small traffic, then I guess it is less
important.
On Wed, Mar 5, 2014 at 9:21 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 4, 2014, at 11:02 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>
> > 1393944936.832292 - - - - - - -
> - - PacketFilter::Dropped_Packets 11 packets dropped
> after filtering, 207913 received, 207913 on link - - -
> - - ids-1 Notice::ACTION_LOG 3600.000000 F -
> - - - -
>
> Turns out...
>
> PacketFilter::stats_collection_interval is 5 mins by default. You're
> seeing it reported every 5 minutes because that's the reporting interval. :)
>
> If you look into the percentage of traffic you're seeing reported as lost,
> it's actually 0.005% which isn't really that bad. Granted, it doesn't
> explain *why* you had a few packets reported as lost but in the grand
> scheme of things it's really not that bad.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140306/91f8e6a0/attachment.html
More information about the Bro
mailing list