[Bro] Broctl netstats
Johanna Amann
johanna at icir.org
Tue May 8 17:12:30 PDT 2018
Hi,
On Thu, May 03, 2018 at 02:41:44PM -0400, Carl Rotenan wrote:
> Could someone explain the the dropped and link columns in the broctl
> netstats output?
>
> Ex
> recvd=12409185 dropped=33782 link=12409185
The information comes out of the get_net_stats.bif. Documentation is at
https://www.bro.org/sphinx/scripts/base/bif/stats.bif.bro.html#id-get_net_stats.
According to this, the numbers mean: "the number of packets (i) received
by Bro, (ii) dropped, and (iii) seen on the link (not always available)."
For the standard pcap input method, received is incremented each time that
Bro handles a packet. Dropped and link come out of pcap_stats
(https://www.tcpdump.org/manpages/pcap_stats.3pcap.html) and are set to
ps_recv (link) and ps_drop (dropped). ps_ifdrop does not seem to be
available.
I hope that helps,
Johanna
More information about the Bro
mailing list