[Bro-Dev] PF_RING cluster ID

Seth Hall seth at icir.org
Wed Aug 31 13:20:46 PDT 2011


On Aug 31, 2011, at 4:15 PM, William Jones wrote:

> I now know that the source was due to the small snap len that bro uses in combination with  a standard optimization in the new 10 GiGE card that will present  several continues packets as one to pcap.  So 10 1500 packets could turn into one 15000 buy packet.  

We'll be integrating the permanent-ish fix for this soon.  The default snaplen is changing to 65535 along with having a -s option in case you need to shorten the snaplen.  I think a lot of people have been running into that packet merging thing lately.

> I don't mind fixing my configs if you give me a more standard way to do something.    When the next version coming out?

Our aim right now is a beta next month.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list