[Bro] Adjusting Bro snaplen caused multiple Security Onion systems to sporadically kernel panic

Seth Hall seth at icir.org
Tue Aug 11 17:43:49 PDT 2015

> On Aug 11, 2015, at 8:08 PM, Kevin Branch <kevin at branchnetconsulting.com> wrote:
> Is it still OK to use "redef snaplen = N;" in my local.bro file if I want to drop Bro's default snaplen to save PF_RING memory?  If so, how low would you say "N" can be set to safely when jumbo frames are not involved?  I got burned with sporadic kernel panics when I set N to 1514.  I'd sure appreciate your input.

Yes, it should be fine to do that but I really don’t know how that change in snap length affects pf_ring.  It may not actually do anything (except apparently cause crashes!?).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list