[Bro] is there a bro script to ignore duplicated logs?

Eric Ooi ericooi at gmail.com
Thu Oct 4 06:42:12 PDT 2018


We had a similar issue and it turned out that the SPAN the network engineer
configured was capturing a trunk such that any inter-VLAN traffic was being
analyzed multiple times.

On Thu, Oct 4, 2018 at 9:37 AM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> Most likely you have separate workers parsing the same traffic.
>
> Can you load the script fatema told you about and also a capture loss
> script and report results for the hour or so?
>
> If each worker sees the same duplicate traffic then the amount of packets
> processed will be very similar.
>
> On Oct 4, 2018, at 1:57 PM, fatema bannatwala <fatema.bannatwala at gmail.com>
> wrote:
>
> How many workers do you have in your cluster?
> Many months ago, we had split-ed connections issue, where Seth provided a
> script to add the worker node to conn.log to see where exactly packets are
> being processed,i.e. which nodes.
>
> You can run this script and see if the duplicate connections are happening
> on which workers and go from there:
>
> $ cat add-node-to-conn.bro
> ##! Add the name of the current node to conn.log
>
> @load base/protocols/conn
>
> export {
>         redef record Conn::Info += {
>                 ## The name of the node where this connection was analyzed.
>                 node: string &log &optional;
>         };
> }
>
> event connection_state_remove(c: connection) &priority=2
>         {
>         c$conn$node = peer_description;
>         }
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/50a6a7ba/attachment-0001.html 


More information about the Bro mailing list