[Bro] Packet loss

Johanna Amann johanna at icir.org
Tue Oct 25 12:05:01 PDT 2016


Just to check - are you running Bro in cluster mode? An 1gb tap is
probably too much for a single process to handle.

Apart from that, on a first glance, that really just looks like Bro cannot
keep up with processing packets. If packets come in bursts, that might
be one reason why the CPU load looks ok, while there is a huge packet
loss.

Johanna

On Mon, Oct 24, 2016 at 04:39:07PM +1000, John Edwards wrote:
> Hi all
> 
> I have just deployed bro onto two systems on my border gateway. They sit
> off a tap and each system has individual Rx and Tx interfaces bridged using
> brctl. I am not seeing any interface dropped packets or errors from the
> Ubuntu host via ifconfig.
> 
> When looking at my data within bro that monitors a standalone configuration
> of br0 has the below line repeated a few times throughout the notice.log
> 
> 1477283201.681213       -       -       -       -       -       -       -
>      -       -       PacketFilter::Dropped_Packets   2739608 packets
> dropped after filtering, 12351460 received, 12351686 on link    -       -
>      -       -       -       bro     Notice::ACTION_LOG3600.000000   F
>  -       -       -       -       -
> We seem to be getting lots of data and as far as CPU and memory resource
> consumption goes it's not under strenuous load. I haven't changed too much
> of the configuration of the 2.4.1 build.
> 
> Sorry if this has been discussed or asked before but what can I look at
> optimising or tuning to reduce the packet loss?
> 
> One thread I found wasn't bros issue but the tap and an upgrade of the
> software fixed it. I cannot do this as it's without software to tune. It's
> a vss active 1gb tap, doesn't seem to be the tap at this stage but it quite
> possibly could be :)
> 
> Thanks
> John

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list