[Bro-Dev] #447: Bro snaplen

Bro Tracker bro at tracker.bro-ids.org
Thu Aug 11 11:47:46 PDT 2011

#447: Bro snaplen
  Reporter:  vern     |      Owner:
      Type:  Problem  |     Status:  new
  Priority:  Normal   |  Milestone:  Bro1.6
 Component:  Bro      |    Version:
Resolution:           |   Keywords:

Comment (by seth):

 I'm not sure this is something that could be auto tuned easily.  I assume
 (i know, i know.  assumptions and all) that the reason almost every tool
 exposes this setting to users is because there just isn't a really good
 way to tell if you are truncating packets besides testing higher snap

 Vern, do you have any fundamental objections with us going forward with
 creating some user accessible setting for the sake of expediency?  We
 could even set 65535 as the default so that it should just work out of the
 box in most scenarios with no tuning with the downside that it could
 potentially cause performance or capacity problems in some installations.
 I actually ran into this problem yesterday and needed to modify Pktsrc.cc
 to make Bro see full packets.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/447#comment:7>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list