[Zeek] 「FOR HELP」The mirrored traffic is heavily lost.
Richard Bejtlich
richard at corelight.com
Tue Oct 29 11:05:32 PDT 2019
Hello,
How are you mirroring the traffic? If it’s a switch span port, that could
be the source of the dropped traffic.
Sincerely,
Richard
On Tue, Oct 29, 2019 at 7:30 AM 杨毅凌 <1766521944 at qq.com> wrote:
> I mirrored the traffic between the core switch of our computer room and
> the public network firewall, but the zeek report contained a lot of packet
> loss (30%), and currently uses PFring for packet capture. I confirm that
> the hardware is fully capable of handling these packet。"Capture loss" and
> "dropped packets" have alarms。At the same time, in the werid log, a large
> number of TCP_seq/ack_underflow_or_misorder logs are included.
> So I want to know why there is such a high rate of packet loss, how to
> trace the cause, and how to solve it.I look forward to receiving your reply.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191029/eee2299c/attachment.html
More information about the Zeek
mailing list