[Bro] - MTU and defragmentation

Jon Siwek jsiwek at corelight.com
Wed Dec 6 10:43:46 PST 2017


On Wed, Dec 6, 2017 at 10:23 AM, william de ping <bill.de.ping at gmail.com> wrote:
> I wonder what happens if my mtu is set to 1500 (default) and a jumbo TCP or
> UDP packet is sent to Bro's monitored interface.
>
> Will Bro parse only the packet containing the IP header ?
> From my tests I see that Bro does not defragment the packets by default, any
> flag I should use for that ?

I'd actually expect Bro to reassemble IPv4/IPv6 fragments by default,
providing that it is actually seeing the fragments from the interface
in their entirety.  Anything relevant in weird.log?  e.g. there could
be other problems going on that prevent fully processing the
fragments, like bad checksums (maybe from nic offloading), or
incomplete captures (from too low a snaplen setting).

- Jon


More information about the Bro mailing list