[Bro] Capture Loss
Drew Dixon
dwdixon at umich.edu
Thu Mar 9 13:27:55 PST 2017
Did you search the email list already or did you just join the list? Are
you capturing the traffic from a SPAN port or a Tap? Is your network full
of asymmetrical traffic/routing? Answers to these two questions first is
pretty important IMO. I responded to a very similar question around 6 days
ago or so on list...here's what I said again:
_____________________________
First I think the recommended number of workers is something like number of
*real* cores (not counting hyperthreading) -2 so for 8 *real* cores you
would use 6 workers, if you have 16 *real* cores you probably want closer
to 14 workers if this is a dedicated bro box. Maybe try bumping up your
number of workers and enabling cpu pinning if you haven't done so.
Have you reviewed everything located here? :
https://www.bro.org/documentation/faq.html#how-can-i-reduce-
the-amount-of-captureloss-or-dropped-packets-notices
Specifically a few things come to mind...I know you mentioned NIC settings
but are you sure you disabled all the NIC offloading features using
ethtool?, more detail on that at this link:
http://securityonion.blogspot.com/2011/10/when-is-full-packe
t-capture-not-full.html
Also, wouldn't hurt to double check the the pf_ring kernel module is
loaded/loading staying loaded? If you patch the server and the kernel gets
updated unless you have something automated to reload/reinstall the pf_ring
module you will probably need to reload the pf_ring module for the new
kernel...
Also, did you configure the number of ring slots for PF_RING ?
Check to be sure that /etc/modprobe.d/pf_ring.conf exists for your PF_RING
installation...this is where you will configure the number of ring slots
for PF_RING, the default is 4096 I believe but on busy networks this needs
to be increased as appropriate (in increments of 4096)...the max value is
65534. I would try that if you've tried everything else at the first link
above to no avail...
This is also a great resource re: PF_RING and number of ring slots:
https://groups.google.com/forum/#!topic/security-onion/zu7U7U9pBT8
Hope this helps,
-Drew
____________________________
On Tue, Mar 7, 2017 at 10:34 AM, Arash Fallah <af7 at umbc.edu> wrote:
> I'm running Bro in a clustered configuration using PF_RING to have 8
> separate workers on one box. Additionally, I have commented out almost
> everything in the default local.bro to run in Bro as efficiently as
> possible. Together, these 8 workers are using less than 20% of total CPU
> capacity.
>
> However, we are experiencing capture loss consistently in the 50% range,
> even though CPUs are idle 80% of the time on average.
>
> Does anyone have any experience with this? I would greatly appreciate the
> help.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170309/2dc57927/attachment.html
More information about the Bro
mailing list