Hello guys,
I’m testing Bro 2.5 beta with netmap, and I noticed this row:
{“ts”:1472467151.681244,“uid”:“CgoIaB3GxSCIEgWea7”,“id.orig_h”:“192.168.181.107”,“id.orig_p”:11328,“id.resp_h”:“172.16.1.60”,“id.resp_p”:9997,“proto”:“tcp”,“duration”:0.362595,“orig_bytes”:4294967296,“resp_bytes”:4294967296,“conn_state”:“SF”,“local_resp”:true,“missed_bytes”:1168863602,“history”:“ShAFFff”,“orig_pkts”:7,“orig_ip_bytes”:292,“resp_pkts”:4,“resp_ip_bytes”:184,“tunnel_parents”:[],“local_origi”:“T4”,“local_respo”:“T4”}
If you look at this log, you can see that there was 4gb data exchanged in 0sec, that’s impossible.
I followed the netmap installation guide by patching the igb intel driver and so using libpcap system (version 0.8)
Anyone has had this kind of problem? Might it be a netmap problem? Should I use pf_ring instead?
Thanks in advance,
Danilo
Unfortunately you haven't given enough information to debug this problem. I haven't heard of a problem like this with netmap.
Although, I can say that it would possible to cause a Bro log to look like that if two systems on the network were out to mess with you. Those large numbers are calculated by doing tcp sequence ID tracking. If you look at the orig_ip_bytes and resp_ip_bytes fields, you can see those are much smaller because they are actually calculated from the byte size of packets seen.
Are you seeing this regularly, or was this a one-off? Are you running packet-bricks or lb on top of netmap or do you have Bro connecting to a netmap interface directly? Are you using the netmap libpcap wrappers or are you using the netmap plugin?
.Seth
Hello,
Sorry for short information.
I’m using Packet-bricks + Bro (2.5) + Netmap (plugin)
Yesterday I removed Packet-bricks from the chain and the problem was solved.
So in some way packet-bricks will cause that problem in my network (regurarly).
I was using git version of packet-bricks in this way:
Eth0 --\
Eth1 ------ Merge → Slot → LoadBalance ----- Slot → Bro worker #1
Eth2 —/ — Slot → Bro worker #2
Eth3 --/
Should I take the orig_ip_bytes instead of orig_bytes to have more reliability?
Thanks for your suggestions
Sorry for short information.
I’m using Packet-bricks + Bro (2.5) + Netmap (plugin)
Thanks for the explanation of what you're doing, that's helpful.
Yesterday I removed Packet-bricks from the chain and the problem was solved.
That's good to know.
Eth0 --\
Eth1 ------ Merge -> Slot -> LoadBalance ----- Slot -> Bro worker #1
Eth2 ---/ \--- Slot -> Bro worker #2
Eth3 --/
Have you tried just sniffing a single interface and doing load balancing? Could you send the script you're running in packet-bricks?
.Seth
Hello Seth,
Have you tried just sniffing a single interface and doing load balancing? Could you send the script you’re running in packet-bricks?
No, I’ve tried to sniff four interfaces, merging them to one and load-balancing on two worker (for now).
I used first:
Brick.new(“Merge”)
And then:
Brick.new(“LoadBalancer”)
The flow works well as programmed, but sometimes that problem of wrong orig_bytes happened.
Now I removed packet-bricks layer connecting netmapped-interfaces directly to bro and it’s working well.
Thanks for your interest
Danilo