[Bro] Regarding bro capture_loss
sourav maji
sm8kk at virginia.edu
Mon Apr 30 15:59:31 PDT 2018
Hi,
Sorry if my questions have already been answered but it would be really
helpful if anyone can provide information on the following.
1. Does bro capture_loss indicate that packets that are mirrored using a
switch's SPAN/TAP port to a server running bro, drop packets in the
mirroring process somewhere upstream?
In our particular setting, we are seeing zero packet drops reported by
"broctl netstats" but more than 40% packet losses in capture_loss. Does
that imply that the server running bro is not dropping any packets but that
packets are being dropped upstream? Bidirectional traffic is sent to the
server running bro using SPAN ports.
2. Is there a document that explains in detail how capture loss is
computed?
It says "Reported loss is computed in terms of the number of “gap events”
(ACKs for a sequence number that’s above a gap)."
What exactly is a gap event and how is the function call "get_gap_stats()"
defined? The code in "capture-loss.bro" does not explain how acks and gaps
can be used to estimate capture loss. Any detailed documentation would be
useful.
Thanks and regards,
Sourav Maji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180430/b92f7f51/attachment.html
More information about the Bro
mailing list