[Bro] Bro and APCON
Josh Guild
josh.guild at morphick.com
Thu Apr 21 09:22:34 PDT 2016
Yep, in one of the environments, we're getting a ton of
"possible_split_routing" and "data_before_established" both with and
without the APCON in the mix.
Thinking it has to do with how Bro is handling the load balancing to
workers.
On Thu, Apr 21, 2016 at 10:45 AM, Dave Crawford <bro at pingtrip.com> wrote:
> Thanks Josh,
>
> We’re also trying to determine if the Apcon is a red herring since
> (unfortunately) two changes were made at the same time. While we swapped
> our Anues for Apcons the network team was also upgrading to Nexus switches.
>
> Our weird log started filling with with “data_before_established” and
> “possible_split_routing” events right after the changes.
>
> -Dave
>
>
> On Apr 21, 2016, at 10:30 AM, Josh Guild <josh.guild at morphick.com> wrote:
>
> Hi Dave,
>
> We bypassed the APCON in one of the environments and it helped a little
> with capture loss (about a 10% drop) and errors in the weird.log.
> Unfortunately, this was during a weekend so it's tough to say how much of
> an impact it made. Another network we're in fixed some load balancing
> issues upstream and this help significantly with loss (though weird.logs
> remain about where they were). I think the APCON may have been a red
> herring in this instance but I'd be curious to see how your network looks
> before and after implementation if you'd like to keep in touch.
>
> The main things I've been looking at are capture loss and weird.log errors
> (specifically HTTP_version_mismatch, SYN_seq_jump,
> TCP_seq_underflow_or_misorder) these may lean towards traffic being
> mangled. This presentation is pretty helpful in showing you what to look
> for:
> https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting
>
> Thanks!
>
> On Thu, Apr 21, 2016 at 10:08 AM, Dave Crawford <dave at pingtrip.com> wrote:
>
>> Josh,
>>
>> Were you able to solve this issue? We just started swapping out our
>> current solution with Apcon’s and wondering if we’ll run into the same
>> issue.
>>
>> -Dave
>>
>> On Apr 7, 2016, at 2:39 PM, Josh Guild <josh.guild at morphick.com> wrote:
>>
>> Hi all,
>>
>> We have a few deployments that utilize an APCON for traffic aggregation.
>> We've noticed in these environments that Bro has trouble reassembling the
>> traffic correctly and there is a significant amount of capture loss (based
>> on the script). We've tried different hashing algorithms on the APCON to no
>> effect.
>>
>> Has anyone else seen anything similar to this or have any insight?
>>
>> Thanks!
>>
>> --
>> Josh Guild
>> Network Intelligence Analyst
>> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>>
>
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
>
>
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160421/c58fac37/attachment.html
More information about the Bro
mailing list