11 Aug
2020
11 Aug
'20
6:23 p.m.
Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?
Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:
18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link
18446744069467467531 packets dropped after filtering,
18446744069467980684 received, 513153 on link
18446744069774533196 packets dropped after filtering,
18446744069778234931 received, 3701735 on link
18446744069437332601 packets dropped after filtering,
18446744069462690099 received, 25357498 on link
18446744069540779703 packets dropped after filtering,
18446744069561221983 received, 20442280 on link
18446744069457313223 packets dropped after filtering,
18446744069457748075 received, 434852 on link
18446744069561323156 packets dropped after filtering,
18446744069583649097 received, 22325941 on link
I was attempting to track percentage of dropped packets from this
notice by dividing the total received (2nd number) by the count
dropped after filtering (1st number) based on what seems like the more
common types of reports we see, like this one:
1 packets dropped after filtering, 2724370 received, 2724369 on link
(1/2724370 => 0.000000367057338). But I can't conceive that the
messages above are carrying realistic numbers to calculate on.
--
Darren Spruell
phatbuckett(a)gmail.com
12 Aug
12 Aug
6:34 a.m.
On Tue, Aug 11, 2020 at 9:25 PM Darren S. <phatbuckett(a)gmail.com> wrote:
Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?
Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:
18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link
Looks like a driver problem or something odd going on... something
confusing a 32bit value for a 64bit one. What sort of platform is
this on?
18446744069482849436 is 0xFFFFFFFF0411A49C. likely that value should
just be 0x0411A49C which is 68265116
so that should probably be
68265116 packets dropped after filtering,
74646617 received, 6381501 on link
which still isn't great, but at least makes more sense.
You should upgrade to zeek. Bro 2.6 is missing years of features,
performance, and security fixes at this point.
--
Justin
23 Aug
23 Aug
8:23 p.m.
On Wed, Aug 12, 2020 at 6:34 AM Justin Azoff <justin(a)corelight.com> wrote:
On Tue, Aug 11, 2020 at 9:25 PM Darren S.
<phatbuckett(a)gmail.com> wrote:
Verified the following:
CentOS 7
Likely running as VMware guests
NIC drivers:
- e1000 (version 7.3.21-k8-NAPI)
- vmxnet3 (version 1.4.16.0-k-NAPI)
You should upgrade to zeek. Bro 2.6 is missing years of features,
Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?
Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:
18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link
Looks like a driver problem or something odd going on... something
confusing a 32bit value for a 64bit one. What sort of platform is
this on?
performance, and security fixes at this point.
This is occurring hopefully shortly.
--
Darren Spruell
phatbuckett(a)gmail.com
640
days inactive
652
days old
2 comments
2 participants
participants (2)
-
Darren S. -
Justin Azoff