According to the following:
https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
I can get capture loss notices when an bro isn’t getting all the acks from an upstream device (network tap, wrongly configured ethernet port, etc) which is different from dropped packets which is when bro can’t process all the packets it sees.
So in my environment, I’m getting entries in the capture-loss.log, but I’m not getting any corresponding entries in my notice.log.
https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html
Does this mean that I’m seeing Capture Loss without Dropped Packets? and that it’s caused by a device upstream to Bro?
Thanks.