[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

Johanna Amann johanna at icir.org
Thu Jun 22 12:47:54 PDT 2017 

Are you using pf_ring through libpcap, or are you using the pf-ring
plugin?

In case you are using it through libpcap - Bro just calls
pcap_set_snaplen; if it does not work anymore it is probably that this is
an issue with PF_RING or the pfring libpcap.

Johanna

On Wed, Jun 21, 2017 at 11:29:18AM -0400, Kevin Branch wrote:
> For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to
> make Bro drop its default snaplen from 8192 to 1600.  This is helpful for
> conserving memory when using Bro in conjunction with PF_RING and a high
> number of ring slots.
> 
> Today I just noticed that while Bro does not complain about "redef
> Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be
> ignoring the redef.  All my Bro instances are actually using a snaplen of
> 8192.
> 
> I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have
> observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0
> (SO test).
> 
> The "Bucket Len" in the below PF_RING status file corresponds to the
> snaplen of the app that allocated the ring.
> 
> root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
> Bound Device(s)    : dmz
> Active             : 1
> Breed              : Standard
> Appl. Name         : bro-dmz
> Socket Mode        : RX+TX
> Capture Direction  : RX+TX
> Sampling Rate      : 1
> IP Defragment      : No
> BPF Filtering      : Enabled
> Sw Filt Hash Rules : 0
> Sw Filt WC Rules   : 0
> Hw Filt Rules      : 0
> Sw Filt Hash Match : 0
> Sw Filt Hash Miss  : 0
> Poll Pkt Watermark : 1
> Num Poll Calls     : 345386919
> Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
> Cluster Id         : 21
> Slot Version       : 16 [6.4.1]
> Min Num Slots      : 128000
> Bucket Len         : 8192
> Slot Len           : 8248 [bucket+header]
> Tot Memory         : 1055756288
> Tot Packets        : 1966471960
> Tot Pkt Lost       : 3
> Tot Insert         : 1966471957
> Tot Read           : 1966471957
> Insert Offset      : 809944608
> Remove Offset      : 809944608
> Num Free Slots     : 128000
> TX: Send Ok        : 0
> TX: Send Errors    : 0
> Reflect: Fwd Ok    : 0
> Reflect: Fwd Errors: 0
> 
> 
> Please advise me about how to successfully change the snaplen used by Bro
> 2.5 at this time,  Can anyone reproduce this problem?  I don't know if this
> issue applies across the board or only comes up with PF_RING.  Let me know
> if there is anything I can do to help test this issue.
> 
> Thanks!
> Kevin

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list