[Bro] is there a bro script to ignore duplicated logs?
Michał Purzyński
michalpurzynski1 at gmail.com
Thu Oct 4 06:26:03 PDT 2018
Most likely you have separate workers parsing the same traffic.
Can you load the script fatema told you about and also a capture loss script and report results for the hour or so?
If each worker sees the same duplicate traffic then the amount of packets processed will be very similar.
> On Oct 4, 2018, at 1:57 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> How many workers do you have in your cluster?
> Many months ago, we had split-ed connections issue, where Seth provided a script to add the worker node to conn.log to see where exactly packets are being processed,i.e. which nodes.
>
> You can run this script and see if the duplicate connections are happening on which workers and go from there:
>
> $ cat add-node-to-conn.bro
> ##! Add the name of the current node to conn.log
>
> @load base/protocols/conn
>
> export {
> redef record Conn::Info += {
> ## The name of the node where this connection was analyzed.
> node: string &log &optional;
> };
> }
>
> event connection_state_remove(c: connection) &priority=2
> {
> c$conn$node = peer_description;
> }
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/5e1d422d/attachment.html
More information about the Bro
mailing list