How are you mirroring the traffic? If it’s a switch span port, that could
be the source of the dropped traffic.
On Tue, Oct 29, 2019 at 7:30 AM 杨毅凌 <1766521944(a)qq.com> wrote:
I mirrored the traffic between the core switch of our
computer room and
the public network firewall, but the zeek report contained a lot of packet
loss (30%), and currently uses PFring for packet capture. I confirm that
the hardware is fully capable of handling these packet。"Capture loss" and
"dropped packets" have alarms。At the same time, in the werid log, a large
number of TCP_seq/ack_underflow_or_misorder logs are included.
So I want to know why there is such a high rate of packet loss, how to
trace the cause, and how to solve it.I look forward to receiving your reply.
Zeek mailing list
Principal Security Strategist, Corelight