[Bro] Bro with 10Gb NIC's or higher
Seth Hall
seth at icir.org
Fri Jan 9 13:45:03 PST 2015
> On Jan 9, 2015, at 4:37 PM, John Donnelly <jdonnelly at dyn.com> wrote:
>
> How I can I specify another directory ?
What do you mean?
> What do the fields mean ?
�
It’s documented:
https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info
> root at x64-01:/# cat cap*
> 1420832673.023244,900.000068,bro,0,0,0.0
> 1420833573.023279,900.000035,bro,0,6,0.0
> 1420833727.951157,154.927878,bro,0,0,0.0
> 1420833885.693988,154.676438,bro,0,0,0.0
That last number is the estimated percent of packet loss. Unnnnnfortunately, I think I know enough to guess that your traffic is heavily leaning toward DNS and capture-loss relies on having a lot of TCP available so in your case the numbers might be misleading.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list