[Bro] impossibly large packets

Tim Ray tray at 21ct.com
Mon Feb 11 12:41:09 PST 2013


Our current best guess is 1,766,926,155 bytes. That's clearly far above
the jumbo limit, or any other limit I can think of. When we try to open
that packet in Wireshark, it's corrupt, which I believe to be true.

How does Bro handle such a case? Does it understand that such a thing is
corrupt?

On 2/11/13 2:32 PM, "Seth Hall" <seth at icir.org> wrote:

>
>On Feb 11, 2013, at 3:14 PM, Tim Ray <tray at 21ct.com> wrote:
>
>> Does Bro have any way to handle corrupt packets that appear to be
>>impossibly large? When we get those in our setup, it hangs. Thanks.
>
>You're going to have to define "impossibly large".  Could you also
>describe more what you mean when you say it hangs too?
>?
>Just a pre-guess thoughŠ Do you have any NIC features enabled for
>extended packet handling?
>	http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not
>-full.html
>
>  .Seth
>
>
>--
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network
>http://www.bro-ids.org/
>





More information about the Bro mailing list