[Bro-Dev] Bro's snap length
jones at tacc.utexas.edu
Fri Nov 18 12:48:44 PST 2011
What type of ether net card are they using.
Is pf_ring nabled?
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall
Sent: Friday, November 18, 2011 1:35 PM
To: bro-dev at bro-ids.org Dev
Subject: [Bro-Dev] Bro's snap length
We're going to need to change Bro's default snap length before the 2.0 final release or at least do something. I've run into several people now who are having really abysmal performance (dropping packets at relatively low data rate) and when they run with a reduced snaplen the performance immediately improves.
If anyone is seeing apparent performance problems with Bro, add the following line to broctl.cfg:
You can set the value to match your MTU but you also need to be aware that you must disable some offload features of NICs. More information about the issue can be found at a recent post on the security onion blog.
International Computer Science Institute
(Bro) because everyone has a network
bro-dev mailing list
bro-dev at bro-ids.org
More information about the bro-dev