jiahui zhao
2018-11-22 06:50:34 UTC
@Robert Cotter Thank you for your reply ïŒ
I try the solution you given , but i didn't work.
Maybe it's the pf_ring that causes the problem.
When i used tcpdump, i finded the same problem of Dropped Packets.
Runtime environment:
NIC is Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe
pf_ring version is 7.1.0
bro 2.5.5
linux:centos
I try the solution you given , but i didn't work.
Maybe it's the pf_ring that causes the problem.
When i used tcpdump, i finded the same problem of Dropped Packets.
Runtime environment:
NIC is Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe
pf_ring version is 7.1.0
bro 2.5.5
linux:centos
Send Bro mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."
1. Re: Dropped Packets too much (jiahui zhao) (Robert Cotter)
2. Disable Log Stream but not the analyzers (Alex Kefallonitis)
----------------------------------------------------------------------
Message: 1
Date: Wed, 21 Nov 2018 02:17:06 +0000
Subject: Re: [Bro] Dropped Packets too much (jiahui zhao)
Content-Type: text/plain; charset="us-ascii"
I would suggest doing some reading on Bro clustering going a little deeper
on your 'lb' configuration.
Not knowing what the data/packet rates you are attempting to process but
in my experience asking a single process thread to do more than 300 Mb is
going to ensure you get packet drops.
Below is part of my node.cfg for a 500Mb complex network data test lab
setup I am currently running hosted in Centos KVM so I can learn/test some
of the DNS/SSL scripting features.
[worker-1]
type=worker
host=localhost
#Interface=dag0
lb_procs=4
lb_method=interfaces
lb_interfaces=dag0,dag1,dag2,dag3
pin_cpus=4,5,6,7
Hope this helps you.
Regards
Robert Cotter
-------------- next part --------------
An HTML attachment was scrubbed...
http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181121/d49c33d5/attachment-0001.html
------------------------------
Message: 2
Date: Wed, 21 Nov 2018 11:28:32 +0200
Subject: [Bro] Disable Log Stream but not the analyzers
<CAHv=
Content-Type: text/plain; charset="utf-8"
event bro_init()
{
Log::disable_stream(HTTP::LOG);
}
But i want scripts using HTTP protocol to work e.g
https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
Is there any other way to do it ?
-------------- next part --------------
An HTML attachment was scrubbed...
http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181121/923f0989/attachment-0001.html
------------------------------
_______________________________________________
Bro mailing list
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 151, Issue 22
************************************
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."
1. Re: Dropped Packets too much (jiahui zhao) (Robert Cotter)
2. Disable Log Stream but not the analyzers (Alex Kefallonitis)
----------------------------------------------------------------------
Message: 1
Date: Wed, 21 Nov 2018 02:17:06 +0000
Subject: Re: [Bro] Dropped Packets too much (jiahui zhao)
Content-Type: text/plain; charset="us-ascii"
I would suggest doing some reading on Bro clustering going a little deeper
on your 'lb' configuration.
Not knowing what the data/packet rates you are attempting to process but
in my experience asking a single process thread to do more than 300 Mb is
going to ensure you get packet drops.
Below is part of my node.cfg for a 500Mb complex network data test lab
setup I am currently running hosted in Centos KVM so I can learn/test some
of the DNS/SSL scripting features.
[worker-1]
type=worker
host=localhost
#Interface=dag0
lb_procs=4
lb_method=interfaces
lb_interfaces=dag0,dag1,dag2,dag3
pin_cpus=4,5,6,7
Hope this helps you.
Regards
Robert Cotter
-------------- next part --------------
An HTML attachment was scrubbed...
http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181121/d49c33d5/attachment-0001.html
------------------------------
Message: 2
Date: Wed, 21 Nov 2018 11:28:32 +0200
Subject: [Bro] Disable Log Stream but not the analyzers
<CAHv=
Content-Type: text/plain; charset="utf-8"
event bro_init()
{
Log::disable_stream(HTTP::LOG);
}
But i want scripts using HTTP protocol to work e.g
https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
Is there any other way to do it ?
-------------- next part --------------
An HTML attachment was scrubbed...
http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181121/923f0989/attachment-0001.html
------------------------------
_______________________________________________
Bro mailing list
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 151, Issue 22
************************************