dropped packets - how to troubleshoot?
Kevin Shipley
BRO_NOTICE is reporting PacketFilter::Dropped_Packets
58848 packets dropped after filtering 3748748 received 3689900 on link
150815 packets dropped after filtering 3453046 received 3302231 on link
24680 packets dropped after filtering 3118441 received 3093761 on link
sostat reports the following:
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 1.390886
bro: 1389725559.322976 recvd=54177713 dropped=753550 link=54177713
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/davos-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/davos-eth1/snort-2.stats last reported pkt_drop_percent as 1.143
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)
Total rings : 3
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 41
/proc/net/pf_ring/4158-eth1.71
Appl. Name : <unknown>
Tot Packets : 54957397
Tot Pkt Lost : 753550
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 0
/proc/net/pf_ring/4414-eth1.80
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 25561735
Tot Pkt Lost : 121113
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4872
Num Free Slots : 4840
/proc/net/pf_ring/4445-eth1.81
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 28897432
Tot Pkt Lost : 346244
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4872
Num Free Slots : 4849
Doug Burks
Please send the full output of the following command:
sudo sostat-redacted
It will redact IPv4 addresses, but there may be additional data that
you need to manually redact.
If you don't have sostat-redacted, you can either install all
available updates or do "sudo sostat" and manually redact.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
Kevin Shipley
I decide to rerun setup on my server since there have been a number of changes since I first installed. I increased some of the defaults related to performance settings and that seems to have helped. The server has been up for almost two days and it isn't dropping packets right now. Thanks for all your hard work on Security Onion--it's an incredible system.
--Kevin