[Bro] - change default MTU for pcaps processing

Johanna Amann johanna at icir.org
Fri Sep 15 12:23:41 PDT 2017


Hi,

the way to do this is to redef Pcap::snaplen to a desired value. If you
use broctl, you might have to set pcapsnaplen in broctl.cfg (I think
broctl might overwrite the value otherwhise).

Note that this is also used for interface monitoring - as far as I am
aware, Bro does not just use the NIC MTU. The default snaplen of Bro is
8192.

Johanna

On Thu, Sep 14, 2017 at 07:55:43AM +0000, william de ping wrote:
> Hi,
> 
> Does anyone know how can I change the default MTU for bro ?
> 
> This is relevant for pcap parsing and not for interface monitoring (for the
> latter, I assume bro will use the MTU for this NIC itself).
> 
> Thanks
> B

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list