Help with missed_bytes affecting hash creations in files.log

Hi,

I have Bro 2.4.1 running on an older system (2 Intel X5550 processors giving 8 CPUs), 48Gb memory running 64 bit Ubuntu (14.04.4) server, using PF_Ring with an Intel 82571EB Ethernet card (1gb copper). This system is sitting on a network tap that is just seeing SMTP traffic between our outer mail gateway and our inside mail infrastructure. My Bro configuration is relatively simple, with a nodes.cfg being:

[manager]
type=manager
host=localhost

Try adding this to local.bro:

@load misc/capture-loss

And then checking the capture_loss.log file which it will generate (will
take 15 minutes to get it to appear initially). For more information
about capture loss, see:

https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices

  --Vlad

Stephen Castellarin <castle1126@yahoo.com> writes:

Hi Vlad,

Yes I’ve had the capture_loss script enabled for some time on my system. Looking at today’s entries - I’ve seen percent loss in 154 of 344 entries, with the largest percentage being 2.9%. Checking “broctl netstats” I’m showing 0 dropped by my workers.

Steve

Try adding this to local.bro:

@load misc/capture-loss

And then checking the capture_loss.log file which it will generate (will
take 15 minutes to get it to appear initially). For more information
about capture loss, see:

https://www.bro.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notices

–Vlad

Stephen Castellarin <castle1126@yahoo.com> writes: