[Bro-Dev] #447: Bro snaplen
Bro Tracker
bro at tracker.bro-ids.org
Thu Aug 2 06:29:58 PDT 2012
#447: Bro snaplen
-----------------------------+--------------------
Reporter: vern | Owner:
Type: Merge Request | Status: closed
Priority: High | Milestone:
Component: Bro | Version:
Resolution: Solved/Applied | Keywords:
-----------------------------+--------------------
Comment (by seth):
Final comment to answer a question from the dev mailing list, we ended up
bumping this back down to 8192 due to performance issues with 65535.
There are a couple of things to keep in mind when considering your snap
length.
1. The best solution is going to be to set it to exactly what your MTU is
and 8192 just happens to be a good middle point between working on almost
all networks and not too large to cause performance problems.
2. The other thing is to make sure that NIC features are disabled which
could group multiple packets together and deliver a single enlarged packet
above the MTU for your network. A good reference for these various
features can be found in a blog post by Doug Burks:
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-
full.html
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/447#comment:14>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list