[Bro] Help with missed_bytes affecting hash creations in files.log

Vlad Grigorescu vladg at illinois.edu
Mon Jul 18 14:06:23 PDT 2016


Try adding this to local.bro:

@load misc/capture-loss

And then checking the capture_loss.log file which it will generate (will
take 15 minutes to get it to appear initially). For more information
about capture loss, see:

https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices

  --Vlad

Stephen Castellarin <castle1126 at yahoo.com> writes:

> Hi,
> I have Bro 2.4.1 running on an older system (2 Intel X5550 processors giving 8 CPUs), 48Gb memory running 64 bit Ubuntu (14.04.4) server, using PF_Ring with an Intel 82571EB Ethernet card (1gb copper).  This system is sitting on a network tap that is just seeing SMTP traffic between our outer mail gateway and our inside mail infrastructure.  My Bro configuration is relatively simple, with a nodes.cfg being:
>
> [manager]
> type=manager
> host=localhost
> #
> [proxy-1]
> type=proxy
> host=localhost
> #
> [worker-1]
> type=worker
> host=localhost
> interface=eth5
> lb_method=pf_ring
> lb_procs=8
>
> When I look at the files.log file I see instances of files that have missing_bytes, which causes the hashes to not be calculated.  Running an IFCONFIG I don't see any drops, errors, etc.  Same with running broctl netstats, no drops.  SAR reports on that system show the CPUs running at 73% IDLE.
> Is there something I'm missing in tuning or tweaking our configuration?  Can I get to a point where I have zero files with no missed_bytes, or will there always be something or things with missed_bytes.  A hardware upgrade can be in our future, but I'm trying to prove this concept by using this setup to help get funding for upgrading.
>
> Thanks all,Steve
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160718/9986a45d/attachment.bin 


More information about the Bro mailing list