Bro Doctor

This plugin provides a "doctor" command for broctl that will help to troubleshoot various common cluster problems.

This plugin runs the following checks:


Checks if many recent connections have a SAD or had history

If any connections have a history that is one sided (all uppercase or all lowercase) this indicates that bro is only seeing half of the connection.


Checks for recent capture_loss.log entries

Capture loss should be as low as possible across all workers.


Checks what percentage of recent tcp connections show loss

Like capture loss, but instead of reporting on the absolute loss amount, report on the percentage of recent connections show any loss at all.


Checks if anything is in the deprecated local-logger.bro, local-manager.bro, local-proxy.bro, or local-worker.bro scripts

Unless you know what you are doing, you should ONLY be using local.bro.


Checks if any recent connections have been logged multiple times

Each connection should only be logged once. If a connection is logged multiple times, especially once per worker, load balancing is not working properly.


Checks if connections are unevenly distributed across workers

Usually, connections should be distributed evenly across workers. If connections are unevenly distributed, load balancing might be not working properly.


Checks what percentage of recent tcp connections are remote to remote.

This will detect problems with networks.cfg not listing all subnets that should be considered local.


Checks if bro is linked against a custom malloc like tcmalloc or jemalloc

Bro performs best when using a better malloc than the standard one in glibc.


Checks pf_ring configuration

If bro is configured to use pf_ring, it needs to be linked against it. If bro is linked against pf_ring, it should be using it.

If the bro pf_ring plugin is installed, the interface name should start with pf_ring::


Checks for recent reporter.log entries

If bro is running well, there will be zero reporter.log messages.


broctl doctor [check] [check]


Run all checks

broctl doctor

Run just the duplicate check

broctl doctor check_duplicate_5_tuples

Package Version :