[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
Thayer, Daniel N
dnthayer at illinois.edu
Thu Jun 22 21:59:52 PDT 2017
You might want to try setting this value in your etc/broctl.cfg file:
pcapsnaplen=1600
________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Kevin Branch [kevin at branchnetconsulting.com]
Sent: Wednesday, June 21, 2017 10:29 AM
To: bro at bro.org
Subject: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to make Bro drop its default snaplen from 8192 to 1600. This is helpful for conserving memory when using Bro in conjunction with PF_RING and a high number of ring slots.
Today I just noticed that while Bro does not complain about "redef Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be ignoring the redef. All my Bro instances are actually using a snaplen of 8192.
I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).
The "Bucket Len" in the below PF_RING status file corresponds to the snaplen of the app that allocated the ring.
root at nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s) : dmz
Active : 1
Breed : Standard
Appl. Name : bro-dmz
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 345386919
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.4.1]
Min Num Slots : 128000
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 1055756288
Tot Packets : 1966471960
Tot Pkt Lost : 3
Tot Insert : 1966471957
Tot Read : 1966471957
Insert Offset : 809944608
Remove Offset : 809944608
Num Free Slots : 128000
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Please advise me about how to successfully change the snaplen used by Bro 2.5 at this time, Can anyone reproduce this problem? I don't know if this issue applies across the board or only comes up with PF_RING. Let me know if there is anything I can do to help test this issue.
Thanks!
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170623/bd6c0844/attachment.html
More information about the Bro
mailing list