[Zeek] Unusual broctl netstats reporting with pf_ring

COLIN BLAIR mnmblair at hotmail.com
Tue Feb 12 11:38:03 PST 2019 

Hi All,

Our Bro is reporting very strange netstats statistics. The drop number is more than twice the link number. Any ideas on what is happening here?

broctl netstats:

Average packet loss as percent across all Bro workers: 251.835667

worker-1-1: 1550022753.774609 recvd=35689158 dropped=86096548 link=35689158
worker-1-2: 1550022753.788585 recvd=34277909 dropped=87669653 link=34277909
worker-1-3: 1550022753.789779 recvd=34412791 dropped=87326521 link=34412791
worker-1-4: 1550022753.794761 recvd=34869235 dropped=86902007 link=34869235
worker-1-5: 1550022753.799623 recvd=34265107 dropped=87488621 link=34265107
worker-1-6: 1550022753.804947 recvd=34060558 dropped=87602513 link=34060558
worker-1-7: 1550022753.814827 recvd=34218781 dropped=87558368 link=34218781
worker-1-8: 1550022753.820166 recvd=34766455 dropped=86960847 link=34766455
worker-1-9: 1550022753.834761 recvd=34332784 dropped=87497148 link=34332784
worker-1-10: 1550022753.835729 recvd=35214323 dropped=86518901 link=35214323

capture_loss.log:

1550021287.104721 900.000010 worker-1-10 272473 425817 63.988286
1550021287.109046 900.000035 worker-1-3 270351 423410 63.850877
1550021287.107021 900.000046 worker-1-7 259620 400463 64.829959
1550021287.114122 900.000029 worker-1-6 245851 376472 65.303927
1550021287.112851 900.000041 worker-1-9 248946 382272 65.12274
1550021287.115733 900.000003 worker-1-1 282999 446957 63.316829
1550021287.234103 900.000051 worker-1-2 265041 413733 64.06088
1550021293.032640 905.925803 worker-1-4 261831 403461 64.896235
1550021296.088983 908.982076 worker-1-8 259122 398183 65.076108
1550021306.079690 918.960314 worker-1-5 251744 384902 65.4047

I have verified Bro is linked to pfring libpcap and pfringclusterid = 21 is in broctl.cfg.

=========================================================================
Capture Interface
=========================================================================
eth0: flags=4547<UP,BROADCAST,RUNNING,NOARP,PROMISC,MULTICAST>  mtu 1500
        ether 0c:c4:7a:cf:66:b8  txqueuelen 1000  (Ethernet)
        RX packets 1220292429  bytes 283890695229 (264.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

=========================================================================
PF_RING
=========================================================================
PF_RING Version          : 7.5.0 (unknown)
Total rings              : 13

Standard (non ZC) Options
Ring slots               : 65536
Slot version             : 17
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

Name:         eth0
Index:        14
Address:      0C:C4:7A:CF:66:B8
Polling Mode: NAPI
Type:         Ethernet
Family:       Standard NIC
# Bound Sockets:  13
TX Queues:    32
RX Queues:    32

node.cfg:
[manager]
type=manager
host=localhost

[logger]
type=logger
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=10
pin_cpus=1,2,3,4,5,6,7,8,9,10


Thank you in advance.

CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190212/22dac1e0/attachment.html

More information about the Zeek mailing list