[Bro-Dev] snaplen and drops

William Jones jones at tacc.utexas.edu
Thu Oct 27 13:30:28 PDT 2011

The linux kernel will enable Large Receive Offload on nic's that support it.   This allows the nic to present multiple contiguous tcp packets as one large packet to the kernel.  I hqve seen tcpdump report packet size of 24K on interfaces with MTU sizes of 1500 bytes when LRO is on.  

The only was to turn of this feature in linux righ now is to turn route forwarding on  and reboot.. 

-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Robin Sommer
Sent: Thursday, October 27, 2011 1:03 PM
To: Martin Holste
Cc: bro-dev at bro-ids.org
Subject: Re: [Bro-Dev] snaplen and drops

On Thu, Oct 27, 2011 at 11:15 -0500, you wrote:

> That's very weird.  It's abnormal to get packets > 1514, right?  Are
> you monitoring a link with a lot of jumbo packets?

Not at all, but iirc, the kernel reserves spaces for packets of size
snaplen, which means that with larger snaplen, less will fit into its

>  Something is wrong, as that small bandwidth shouldn't matter no
>  matter what the packet sizes are anyway.

Yeah, I'm thinking so too. Something's odd going on, need to look into
it more closely.

As long as other's aren't seeing similar problems with the default 65K
snaplen, I'm fine.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
bro-dev mailing list
bro-dev at bro-ids.org

More information about the bro-dev mailing list