[Bro] Bro's snap length
Jim Mellander
jmellander at lbl.gov
Fri Jan 13 10:21:54 PST 2012
You could have a menu of options to make it really easy:
Etherframes
Jumbo Frames
Minimum MTU frames
Full packet capture
etc
with instructions to uncomment the one that applies in your
installation, along with the usual "Choose Wisely" caveat.
On Fri, Jan 13, 2012 at 10:05 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu> wrote:
>> Just wondering what the final decision was for snaplen in 2.0?
>
> * Reduced snaplen default from 65535 to old default of 8192. The
> large value was introducing performance problems on many
> systems.
>
> * Replaced the --snaplen/-l command line option with a
> scripting-layer option called "snaplen". The new option can also
> be redefined on the command line, e.g. ``bro -i eth0
> snaplen=65535``.
>
> There's also a related ticket slated for 2.1 that would help with the problems encountered at large snaplens:
>
> http://tracker.bro-ids.org/bro/ticket/553
>
> +Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list