[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
Kevin Branch
kevin at branchnetconsulting.com
Wed Jun 21 08:29:18 PDT 2017
For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to
make Bro drop its default snaplen from 8192 to 1600. This is helpful for
conserving memory when using Bro in conjunction with PF_RING and a high
number of ring slots.
Today I just noticed that while Bro does not complain about "redef
Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be
ignoring the redef. All my Bro instances are actually using a snaplen of
8192.
I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have
observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0
(SO test).
The "Bucket Len" in the below PF_RING status file corresponds to the
snaplen of the app that allocated the ring.
root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s) : dmz
Active : 1
Breed : Standard
Appl. Name : bro-dmz
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 345386919
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.4.1]
Min Num Slots : 128000
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 1055756288
Tot Packets : 1966471960
Tot Pkt Lost : 3
Tot Insert : 1966471957
Tot Read : 1966471957
Insert Offset : 809944608
Remove Offset : 809944608
Num Free Slots : 128000
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Please advise me about how to successfully change the snaplen used by Bro
2.5 at this time, Can anyone reproduce this problem? I don't know if this
issue applies across the board or only comes up with PF_RING. Let me know
if there is anything I can do to help test this issue.
Thanks!
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170621/4646ca6c/attachment.html
More information about the Bro
mailing list