Just wondering why werid.log are very high volume. There is a lot of “possible_split_routing” in werid.log. How to get rid of this issue?
Regards,
Jim Zhai
It's very possible that you have split routing on your network. In other words, you might only be seeing one direction of traffic because the other direction of traffic is going on a route that you aren't seeing (another router for example).
Are you loading the misc/capture-loss.bro script? It's possible that could be cause by a high degree of packet loss as well.
.Seth
Thanks Seth. We do have very high loss degree loss as well, over 60%. We use the bridge-utils to bridge two interface eth1 and eth2 which does split the traffic. We currently just monitoring br0 interface. We recently upgrade bro from 2.2 to 2.3 The capture loss used to be very low on 2.2. But the wried.log remain the same. Just wondering if software bridge setting works in this situation?
Regards,
Jim Zhai
Thanks Seth. We do have very high loss degree loss as well, over 60%.
You're determining that number from capture-loss.log or something else?
We use the bridge-utils to bridge two interface eth1 and eth2 which does split the traffic.
Did you mean that it merges the traffic?
We recently upgrade bro from 2.2 to 2.3 The capture loss used to be very low on 2.2. But the wried.log remain the same. Just wondering if software bridge setting works in this situation?
Yeah, that should work fine. It sounds like you might want to come up with a solution to your packet loss first. Unfortunately I can't give you an answer without knowing more about your network and what your deploy looks like. In most cases, 2.3 should actually be more efficient than 2.2. There was some work done around identifying some major inefficiencies and addressing them.
.Seth
You're determining that number from capture-loss.log or something else?
Yes, we find this from capture-loss.log. It used to be very low. But after upgrade 2.3 today, it jumps to 67%
Did you mean that it merges the traffic?
Inbound and outbound merges
Regards,
Jim Zhai
Hm, some of the TCP handling was rewritten for 2.3. It's possible you're running into edge cases that weren't handled correctly.
Would it be possible for you to privately provide us with some of your conn.log and weird.log files?
.Seth