[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
Johanna Amann
johanna at icir.org
Thu Jun 22 12:47:54 PDT 2017
Are you using pf_ring through libpcap, or are you using the pf-ring
plugin?
In case you are using it through libpcap - Bro just calls
pcap_set_snaplen; if it does not work anymore it is probably that this is
an issue with PF_RING or the pfring libpcap.
Johanna
On Wed, Jun 21, 2017 at 11:29:18AM -0400, Kevin Branch wrote:
> For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to
> make Bro drop its default snaplen from 8192 to 1600. This is helpful for
> conserving memory when using Bro in conjunction with PF_RING and a high
> number of ring slots.
>
> Today I just noticed that while Bro does not complain about "redef
> Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be
> ignoring the redef. All my Bro instances are actually using a snaplen of
> 8192.
>
> I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have
> observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0
> (SO test).
>
> The "Bucket Len" in the below PF_RING status file corresponds to the
> snaplen of the app that allocated the ring.
>
> root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
> Bound Device(s) : dmz
> Active : 1
> Breed : Standard
> Appl. Name : bro-dmz
> Socket Mode : RX+TX
> Capture Direction : RX+TX
> Sampling Rate : 1
> IP Defragment : No
> BPF Filtering : Enabled
> Sw Filt Hash Rules : 0
> Sw Filt WC Rules : 0
> Hw Filt Rules : 0
> Sw Filt Hash Match : 0
> Sw Filt Hash Miss : 0
> Poll Pkt Watermark : 1
> Num Poll Calls : 345386919
> Channel Id Mask : 0xFFFFFFFFFFFFFFFF
> Cluster Id : 21
> Slot Version : 16 [6.4.1]
> Min Num Slots : 128000
> Bucket Len : 8192
> Slot Len : 8248 [bucket+header]
> Tot Memory : 1055756288
> Tot Packets : 1966471960
> Tot Pkt Lost : 3
> Tot Insert : 1966471957
> Tot Read : 1966471957
> Insert Offset : 809944608
> Remove Offset : 809944608
> Num Free Slots : 128000
> TX: Send Ok : 0
> TX: Send Errors : 0
> Reflect: Fwd Ok : 0
> Reflect: Fwd Errors: 0
>
>
> Please advise me about how to successfully change the snaplen used by Bro
> 2.5 at this time, Can anyone reproduce this problem? I don't know if this
> issue applies across the board or only comes up with PF_RING. Let me know
> if there is anything I can do to help test this issue.
>
> Thanks!
> Kevin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list