[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
From:       "Thayer, Daniel N" <dnthayer () illinois ! edu>
Date:       2017-06-23 4:59:52
Message-ID: 8F865DA62E66F543B6104A2835719CF969D20A0C () CITESMBX5 ! ad ! uillinois ! edu
[Download RAW message or body]

You might want to try setting this value in your etc/broctl.cfg file:
pcapsnaplen=1600


________________________________
From: bro-bounces@bro.org [bro-bounces@bro.org] on behalf of Kevin Branch \
                [kevin@branchnetconsulting.com]
Sent: Wednesday, June 21, 2017 10:29 AM
To: bro@bro.org
Subject: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to make Bro \
drop its default snaplen from 8192 to 1600.  This is helpful for conserving memory \
when using Bro in conjunction with PF_RING and a high number of ring slots.

Today I just noticed that while Bro does not complain about "redef Pcap::snaplen = \
1600;" when I run a "broctl check", that Bro appears to be ignoring the redef.  All \
my Bro instances are actually using a snaplen of 8192.

I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this \
problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).

The "Bucket Len" in the below PF_RING status file corresponds to the snaplen of the \
app that allocated the ring.

root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s)    : dmz
Active             : 1
Breed              : Standard
Appl. Name         : bro-dmz
Socket Mode        : RX+TX
Capture Direction  : RX+TX
Sampling Rate      : 1
IP Defragment      : No
BPF Filtering      : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules   : 0
Hw Filt Rules      : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss  : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 345386919
Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
Cluster Id         : 21
Slot Version       : 16 [6.4.1]
Min Num Slots      : 128000
Bucket Len         : 8192
Slot Len           : 8248 [bucket+header]
Tot Memory         : 1055756288
Tot Packets        : 1966471960
Tot Pkt Lost       : 3
Tot Insert         : 1966471957
Tot Read           : 1966471957
Insert Offset      : 809944608
Remove Offset      : 809944608
Num Free Slots     : 128000
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0

Please advise me about how to successfully change the snaplen used by Bro 2.5 at this \
time,  Can anyone reproduce this problem?  I don't know if this issue applies across \
the board or only comes up with PF_RING.  Let me know if there is anything I can do \
to help test this issue.

Thanks!
Kevin


[Attachment #3 (text/html)]

<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<div>You might want to try setting this value in your etc/broctl.cfg file:</div>
<div>pcapsnaplen=1600</div>
<div><br>
</div>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF3645" style="direction: ltr;"><font face="Tahoma" size="2" \
color="#000000"><b>From:</b> bro-bounces@bro.org [bro-bounces@bro.org] on behalf of \
Kevin Branch [kevin@branchnetconsulting.com]<br> <b>Sent:</b> Wednesday, June 21, \
2017 10:29 AM<br> <b>To:</b> bro@bro.org<br>
<b>Subject:</b> [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">For a long time I have used &quot;redef Pcap::snaplen = 1600;&quot; in \
local.bro to make Bro drop its default snaplen from 8192 to 1600.&nbsp; This is \
helpful for conserving memory when using Bro in conjunction with PF_RING and a high \
number of ring slots. <div><br>
</div>
<div>
<div>
<div>Today I just noticed that while Bro does not complain about &quot;redef \
Pcap::snaplen = 1600;&quot; when I run a &quot;broctl check&quot;, that Bro appears \
to be ignoring the redef.&nbsp; All my Bro instances are actually using a snaplen of \
8192.</div> <div><br>
</div>
<div>I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed \
this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).</div> \
<div><br> </div>
<div>The &quot;Bucket Len&quot; in the below PF_RING status file corresponds to the \
snaplen of the app that allocated the ring.</div> <div><br>
</div>
</div>
<blockquote style="margin:0px 0px 0px 40px; border:none; padding:0px">
<div>root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9</div>
<div>Bound Device(s) &nbsp; &nbsp;: dmz</div>
<div>Active &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : 1</div>
<div>Breed &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: Standard</div>
<div>Appl. Name &nbsp; &nbsp; &nbsp; &nbsp; : bro-dmz</div>
<div>Socket Mode &nbsp; &nbsp; &nbsp; &nbsp;: RX&#43;TX</div>
<div>Capture Direction &nbsp;: RX&#43;TX</div>
<div>Sampling Rate &nbsp; &nbsp; &nbsp;: 1</div>
<div>IP Defragment &nbsp; &nbsp; &nbsp;: No</div>
<div>BPF Filtering &nbsp; &nbsp; &nbsp;: Enabled</div>
<div>Sw Filt Hash Rules : 0</div>
<div>Sw Filt WC Rules &nbsp; : 0</div>
<div>Hw Filt Rules &nbsp; &nbsp; &nbsp;: 0</div>
<div>Sw Filt Hash Match : 0</div>
<div>Sw Filt Hash Miss &nbsp;: 0</div>
<div>Poll Pkt Watermark : 1</div>
<div>Num Poll Calls &nbsp; &nbsp; : 345386919</div>
<div>Channel Id Mask &nbsp; &nbsp;: 0xFFFFFFFFFFFFFFFF</div>
<div>Cluster Id &nbsp; &nbsp; &nbsp; &nbsp; : 21</div>
<div>Slot Version &nbsp; &nbsp; &nbsp; : 16 [6.4.1]</div>
<div>Min Num Slots &nbsp; &nbsp; &nbsp;: 128000</div>
<div>Bucket Len &nbsp; &nbsp; &nbsp; &nbsp; : 8192</div>
<div>Slot Len &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : 8248 [bucket&#43;header]</div>
<div>Tot Memory &nbsp; &nbsp; &nbsp; &nbsp; : 1055756288</div>
<div>Tot Packets &nbsp; &nbsp; &nbsp; &nbsp;: 1966471960</div>
<div>Tot Pkt Lost &nbsp; &nbsp; &nbsp; : 3</div>
<div>Tot Insert &nbsp; &nbsp; &nbsp; &nbsp; : 1966471957</div>
<div>Tot Read &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : 1966471957</div>
<div>Insert Offset &nbsp; &nbsp; &nbsp;: 809944608</div>
<div>Remove Offset &nbsp; &nbsp; &nbsp;: 809944608</div>
<div>Num Free Slots &nbsp; &nbsp; : 128000</div>
<div>TX: Send Ok &nbsp; &nbsp; &nbsp; &nbsp;: 0</div>
<div>TX: Send Errors &nbsp; &nbsp;: 0</div>
<div>Reflect: Fwd Ok &nbsp; &nbsp;: 0</div>
<div>Reflect: Fwd Errors: 0</div>
</blockquote>
<div>
<div><br>
</div>
<div>Please advise me about how to successfully change the snaplen used by Bro 2.5 at \
this time, &nbsp;Can anyone reproduce this problem?&nbsp; I don't know if this issue \
applies across the board or only comes up with PF_RING.&nbsp; Let me know if there is \
anything I can  do to help test this issue.<br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Kevin</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>



_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--===============0979538363==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic