[Bro-Dev] Bro's snap length

William Jones jones at tacc.utexas.edu
Fri Nov 18 12:48:44 PST 2011


What type of ether net card are they using.    
Is pf_ring nabled?

Bill Jones

-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall
Sent: Friday, November 18, 2011 1:35 PM
To: bro-dev at bro-ids.org Dev
Subject: [Bro-Dev] Bro's snap length

We're going to need to change Bro's default snap length before the 2.0 final release or at least do something.  I've run into several people now who are having really abysmal performance (dropping packets at relatively low data rate) and when they run with a reduced snaplen the performance immediately improves.

If anyone is seeing apparent performance problems with Bro, add the following line to broctl.cfg:

broargs=-l 9800

You can set the value to match your MTU but you also need to be aware that you must disable some offload features of NICs.  More information about the issue can be found at a recent post on the security onion blog.

	http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


_______________________________________________
bro-dev mailing list
bro-dev at bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev



More information about the bro-dev mailing list