I mirrored the traffic between the core switch of our computer room and the public network firewall, but the zeek report contained a lot of packet loss (30%), and currently uses PFring for packet capture. I confirm that the hardware is fully capable of handling these packet。“Capture loss” and “dropped packets” have alarms。At the same time, in the werid log, a large number of TCP_seq/ack_underflow_or_misorder logs are included.
So I want to know why there is such a high rate of packet loss, how to trace the cause, and how to solve it.I look forward to receiving your reply.
Hello,
How are you mirroring the traffic? If it’s a switch span port, that could be the source of the dropped traffic.
Sincerely,
Richard