[Bro] Bro capture loss without dropped packets
Vern Paxson
vern at corelight.com
Thu Mar 15 17:12:28 PDT 2018
> At 10Mbps everything works as expected. As I increase the speed (20Mbps,
> 30Mbps... 200Mbps) I start to see capture_loss reported in the 10-30%
> range, but no dropped packet notices.
The dropped packet notices come from statistics reported by the packet
sources. In many setups, these statistics are unreliable, which is what
originally led us to develop capture_loss. capture_loss is quite robust;
if you are losing packets from your monitoring and you have any significant
TCP traffic, it *will* flag the problem. So one possibility is that the
statistics for your packet capture setup are indeed unreliable, and are
under-reporting lower rates as no loss.
Another possibility is that the trace you're replaying using tcprelay
itself has capture loss. The capture_loss mechanism will key off of those
even if the replay is perfect with no additional capture loss, i.e., your
packet source doesn't having any problems until the replay speed gets quite
high.
You could diagnose that second possibility by seeing whether just running
directly off the pcap with -r produces capture loss reports.
Vern
More information about the Bro
mailing list