[Bro-Dev] Bro's snap length
Seth Hall
seth at icir.org
Fri Nov 18 11:34:53 PST 2011
We're going to need to change Bro's default snap length before the 2.0 final release or at least do something. I've run into several people now who are having really abysmal performance (dropping packets at relatively low data rate) and when they run with a reduced snaplen the performance immediately improves.
If anyone is seeing apparent performance problems with Bro, add the following line to broctl.cfg:
broargs=-l 9800
You can set the value to match your MTU but you also need to be aware that you must disable some offload features of NICs. More information about the issue can be found at a recent post on the security onion blog.
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list