[Bro] Adjusting Bro snaplen caused multiple Security Onion systems to sporadically kernel panic
Seth Hall
seth at icir.org
Tue Aug 11 17:43:49 PDT 2015
> On Aug 11, 2015, at 8:08 PM, Kevin Branch <kevin at branchnetconsulting.com> wrote:
>
> Is it still OK to use "redef snaplen = N;" in my local.bro file if I want to drop Bro's default snaplen to save PF_RING memory? If so, how low would you say "N" can be set to safely when jumbo frames are not involved? I got burned with sporadic kernel panics when I set N to 1514. I'd sure appreciate your input.
Yes, it should be fine to do that but I really don’t know how that change in snap length affects pf_ring. It may not actually do anything (except apparently cause crashes!?).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list