[Bro] capture loss vs dropped packets
craig bowser
reswob10 at gmail.com
Wed Aug 16 12:36:50 PDT 2017
According to the following:
https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
I can get capture loss notices when an bro isn't getting all the acks from
an upstream device (network tap, wrongly configured ethernet port, etc)
which is different from dropped packets which is when bro can't process all
the packets it sees.
So in my environment, I'm getting entries in the capture-loss.log, but I'm
not getting any corresponding entries in my notice.log.
https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html
Does this mean that I'm seeing Capture Loss without Dropped Packets? and
that it's caused by a device upstream to Bro?
Thanks.
Craig L Bowser
____________________________
This email is measured by size. Bits and bytes may have settled during
transport.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170816/730a17f6/attachment.html
More information about the Bro
mailing list