[Bro] High orig_bytes value
Danilo Nicolò
dani.nicolo at gmail.com
Mon Aug 29 10:01:17 PDT 2016
Hello guys,
I'm testing Bro 2.5 beta with netmap, and I noticed this row:
{"ts":1472467151.681244,"uid":"CgoIaB3GxSCIEgWea7","id.orig_h":"192.168.181.107","id.orig_p":11328,"id.resp_h":"172.16.1.60","id.resp_p":9997,"proto":"tcp","duration":0.362595,"orig_bytes":4294967296,"resp_bytes":4294967296,"conn_state":"SF","local_resp":true,"missed_bytes":1168863602,"history":"ShAFFff","orig_pkts":7,"orig_ip_bytes":292,"resp_pkts":4,"resp_ip_bytes":184,"tunnel_parents":[],"local_origi":"T4","local_respo":"T4"}
If you look at this log, you can see that there was 4gb data exchanged in
0sec, that's impossible.
I followed the netmap installation guide by patching the igb intel driver
and so using libpcap system (version 0.8)
Anyone has had this kind of problem? Might it be a netmap problem? Should I
use pf_ring instead?
Thanks in advance,
Danilo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160829/d2c53787/attachment.html
More information about the Bro
mailing list