[Bro-Dev] #447: Bro snaplen
Bro Tracker
bro at tracker.bro-ids.org
Thu Aug 11 11:47:46 PDT 2011
#447: Bro snaplen
----------------------+--------------------
Reporter: vern | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Resolution: | Keywords:
----------------------+--------------------
Comment (by seth):
I'm not sure this is something that could be auto tuned easily. I assume
(i know, i know. assumptions and all) that the reason almost every tool
exposes this setting to users is because there just isn't a really good
way to tell if you are truncating packets besides testing higher snap
lengths.
Vern, do you have any fundamental objections with us going forward with
creating some user accessible setting for the sake of expediency? We
could even set 65535 as the default so that it should just work out of the
box in most scenarios with no tuning with the downside that it could
potentially cause performance or capacity problems in some installations.
I actually ran into this problem yesterday and needed to modify Pktsrc.cc
to make Bro see full packets.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/447#comment:7>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list