Question about capture loss script vs. broctl netstats

I apologize if this has been answered already - I was searching through the list archives and did’t seem to find the answer.

I have configured a RHEL 6 server with the latest Bro from the repository and pf_ring 5.2.2.

It seems pf_ring works - I run pfcount on my capture interface and it sees traffic and reports no packet loss.

I have Bro configured per the post at http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html and everything starts fine and Bro is up and running.

I run netstats in the Broctl shell and get:

worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222

But in the notice.log file I see:
1372179930.880560 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 38.520% - - - - - worker-0-3 Notice::ACTION_LOG 3600.000000 F - - - –
1372179930.908354 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 37.415% - - - - - worker-0-4 Notice::ACTION_LOG 3600.000000 F - - - –
1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 40.462% - - - - - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - –
1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 42.910% - - - - - worker-0-2 Notice::ACTION_LOG 3600.000000 F - - - –

So my question is, am I dropping packets or am I good to go?

Best Regards,

Derek Banks

My understanding is that this indicates Bro is processing every packet it receives, but it is only receiving about 60% of the packets that are crossing the wire Bro is monitoring…

Do you have more information about the link you are tapping (bandwidth, packets/sec), the network card on the Bro box, and the specs of the Bro box?

-- KS

How are you tapping your traffic?

  .Seth

It is from a span fed into a Netoptics port regenerator that feeds a few devices. One of those is another Red Hat box with an Endace card in it. That box (and another device we have) do not seem to be dropping traffic.

-Derek

How are you measuring packet loss with your other tools? The script that is generating those notices you saw is measuring aspects of TCP that indicate packet loss which could be happening upstream of your monitoring. By that, I mean you could be oversubscribing your SPAN port. It could be worth checking packet stats on the SPAN port to see if you are losing traffic there.

  .Seth