[Bro] Dropped data

Michał Purzyński michalpurzynski1 at gmail.com
Fri May 11 01:32:42 PDT 2018 

There’s no advantage using crazy solutions that make you jump through multiple hoops when most of the time the default and built in packet capture mechanism works well.

> On May 10, 2018, at 5:45 AM, Carl Rotenan <carlrotenan at gmail.com> wrote:
> 
> Michal,
> 
> Could you explain what you meant by switching to AF_PACKET and avoiding the problem all together?
> 
> Thanks,
> 
> Carl
> 
>> On Tue, May 8, 2018 at 9:20 PM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
>> What kind of cards and distribution do you have? Maybe you could just switch to afpacket to avoid the problem entirely 
>> 
>> > On May 8, 2018, at 5:17 PM, Johanna Amann <johanna at icir.org> wrote:
>> > 
>> > Hi,
>> > 
>> > this actually does not look very bad to me - on most interfaces you do not
>> > seem to have any drops. One of them has a bit over 2% which is not that
>> > pretty but also not catastrophic.
>> > 
>> > I have no experience with ZC, but generally packet loss can be caused by a
>> > number of issues. Single high-speed connections can be problematic
>> > (because they add to the normal load of a single Bro process). Microbursts
>> > also happen and can lead to a bit of packet loss.
>> > 
>> > If there is a setting to increase the available buffer, that might be
>> > worth playing around with.
>> > 
>> > Johanna
>> > 
>> >> On Wed, May 02, 2018 at 04:13:07PM -0400, Carl Rotenan wrote:
>> >> Hello,
>> >> 
>> >> Can someone give me some direction on trying to figure out why I have
>> >> dropped data?
>> >> 
>> >> This output is from a machine getting about 3G of traffic a minute or so
>> >> into starting Bro 2.5.3 with PF_RING 7.0.0.
>> >> 
>> >> How much data per worker should I expect to budget for? Ideally I'd like
>> >> Bro to be able to do 10G of traffic.
>> >> 
>> >> Has anyone used PF_RING ZC with success?
>> >> 
>> >> worker-0-1: 1525291681.760081 recvd=564836 dropped=0 link=564836
>> >> worker-0-2: 1525291681.961074 recvd=723187 dropped=0 link=723187
>> >> worker-0-3: 1525291682.162178 recvd=682598 dropped=4619 link=682598
>> >> worker-0-4: 1525291682.364202 recvd=1094776 dropped=0 link=1094776
>> >> worker-0-5: 1525291682.566055 recvd=6722748 dropped=30902 link=6722748
>> >> worker-0-6: 1525291682.768050 recvd=2180528 dropped=0 link=2180528
>> >> worker-0-7: 1525291682.969023 recvd=3252824 dropped=0 link=3252824
>> >> worker-0-8: 1525291683.179065 recvd=414112 dropped=0 link=414112
>> >> worker-0-9: 1525291683.379083 recvd=2228892 dropped=52543 link=2228892
>> >> worker-0-10: 1525291683.579973 recvd=1735298 dropped=0 link=1735298
>> >> worker-0-11: 1525291683.780260 recvd=2720785 dropped=1437 link=2720785
>> >> worker-0-12: 1525291683.981421 recvd=5835651 dropped=7610 link=5835651
>> >> worker-0-13: 1525291684.181057 recvd=566766 dropped=0 link=566766
>> >> worker-0-14: 1525291684.381979 recvd=335114 dropped=0 link=335114
>> >> worker-0-15: 1525291684.582077 recvd=743998 dropped=0 link=743998
>> >> worker-0-16: 1525291684.782897 recvd=6124252 dropped=54604 link=6124252
>> >> worker-0-17: 1525291684.980916 recvd=3476401 dropped=17138 link=3476401
>> >> worker-0-18: 1525291685.184047 recvd=1286574 dropped=0 link=1286574
>> > 
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> > 
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180511/d5a09e1b/attachment.html

More information about the Bro mailing list