[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

Thayer, Daniel N dnthayer at illinois.edu
Thu Jun 22 21:59:52 PDT 2017


You might want to try setting this value in your etc/broctl.cfg file:
pcapsnaplen=1600


________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Kevin Branch [kevin at branchnetconsulting.com]
Sent: Wednesday, June 21, 2017 10:29 AM
To: bro at bro.org
Subject: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to make Bro drop its default snaplen from 8192 to 1600.  This is helpful for conserving memory when using Bro in conjunction with PF_RING and a high number of ring slots.

Today I just noticed that while Bro does not complain about "redef Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be ignoring the redef.  All my Bro instances are actually using a snaplen of 8192.

I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).

The "Bucket Len" in the below PF_RING status file corresponds to the snaplen of the app that allocated the ring.

root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s)    : dmz
Active             : 1
Breed              : Standard
Appl. Name         : bro-dmz
Socket Mode        : RX+TX
Capture Direction  : RX+TX
Sampling Rate      : 1
IP Defragment      : No
BPF Filtering      : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules   : 0
Hw Filt Rules      : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss  : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 345386919
Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
Cluster Id         : 21
Slot Version       : 16 [6.4.1]
Min Num Slots      : 128000
Bucket Len         : 8192
Slot Len           : 8248 [bucket+header]
Tot Memory         : 1055756288
Tot Packets        : 1966471960
Tot Pkt Lost       : 3
Tot Insert         : 1966471957
Tot Read           : 1966471957
Insert Offset      : 809944608
Remove Offset      : 809944608
Num Free Slots     : 128000
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0

Please advise me about how to successfully change the snaplen used by Bro 2.5 at this time,  Can anyone reproduce this problem?  I don't know if this issue applies across the board or only comes up with PF_RING.  Let me know if there is anything I can do to help test this issue.

Thanks!
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170623/bd6c0844/attachment.html 


More information about the Bro mailing list