[Bro] Bro's snap length

Siwek, Jonathan Luke jsiwek at illinois.edu
Fri Jan 13 10:05:24 PST 2012


> Just wondering what the final decision was for snaplen in 2.0?

    * Reduced snaplen default from 65535 to old default of 8192. The
      large value was introducing performance problems on many
      systems.

    * Replaced the --snaplen/-l command line option with a
      scripting-layer option called "snaplen". The new option can also
      be redefined on the command line, e.g. ``bro -i eth0
      snaplen=65535``.

There's also a related ticket slated for 2.1 that would help with the problems encountered at large snaplens:

http://tracker.bro-ids.org/bro/ticket/553

+Jon


More information about the Bro mailing list