[Bro-Dev] Bro's snap length
William Jones
jones at tacc.utexas.edu
Fri Nov 18 12:48:44 PST 2011
What type of ether net card are they using.
Is pf_ring nabled?
Bill Jones
-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall
Sent: Friday, November 18, 2011 1:35 PM
To: bro-dev at bro-ids.org Dev
Subject: [Bro-Dev] Bro's snap length
We're going to need to change Bro's default snap length before the 2.0 final release or at least do something. I've run into several people now who are having really abysmal performance (dropping packets at relatively low data rate) and when they run with a reduced snaplen the performance immediately improves.
If anyone is seeing apparent performance problems with Bro, add the following line to broctl.cfg:
broargs=-l 9800
You can set the value to match your MTU but you also need to be aware that you must disable some offload features of NICs. More information about the issue can be found at a recent post on the security onion blog.
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
_______________________________________________
bro-dev mailing list
bro-dev at bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
More information about the bro-dev
mailing list