[Bro-Dev] Ticket #447 and default snaplen
Seth Hall
seth at icir.org
Thu Aug 2 06:33:29 PDT 2012
On Aug 2, 2012, at 4:13 AM, Tritium Cat <tritium.cat at gmail.com> wrote:
> I noticed #447 but found a default of 8192 still being used from "share/bro/base/init-bare.bro", line 2793.
We discovered that it was causing some pretty severe performance problems and changed back to 8192 by default. Ultimately the best choice will be to set the snaplen to the MTU for the link you are monitoring and to make sure and turn off all NIC features. Doug Burks has a good reference for these features here:
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
I left a comment on the ticket so that people won't get caught by that quick change around in the future too.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list