[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

Kevin Branch kevin at branchnetconsulting.com
Wed Jun 21 08:29:18 PDT 2017


For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to
make Bro drop its default snaplen from 8192 to 1600.  This is helpful for
conserving memory when using Bro in conjunction with PF_RING and a high
number of ring slots.

Today I just noticed that while Bro does not complain about "redef
Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be
ignoring the redef.  All my Bro instances are actually using a snaplen of
8192.

I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have
observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0
(SO test).

The "Bucket Len" in the below PF_RING status file corresponds to the
snaplen of the app that allocated the ring.

root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s)    : dmz
Active             : 1
Breed              : Standard
Appl. Name         : bro-dmz
Socket Mode        : RX+TX
Capture Direction  : RX+TX
Sampling Rate      : 1
IP Defragment      : No
BPF Filtering      : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules   : 0
Hw Filt Rules      : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss  : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 345386919
Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
Cluster Id         : 21
Slot Version       : 16 [6.4.1]
Min Num Slots      : 128000
Bucket Len         : 8192
Slot Len           : 8248 [bucket+header]
Tot Memory         : 1055756288
Tot Packets        : 1966471960
Tot Pkt Lost       : 3
Tot Insert         : 1966471957
Tot Read           : 1966471957
Insert Offset      : 809944608
Remove Offset      : 809944608
Num Free Slots     : 128000
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0


Please advise me about how to successfully change the snaplen used by Bro
2.5 at this time,  Can anyone reproduce this problem?  I don't know if this
issue applies across the board or only comes up with PF_RING.  Let me know
if there is anything I can do to help test this issue.

Thanks!
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170621/4646ca6c/attachment.html 


More information about the Bro mailing list