[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
From: "Thayer, Daniel N" <dnthayer () illinois ! edu>
Date: 2017-06-23 4:59:52
Message-ID: 8F865DA62E66F543B6104A2835719CF969D20A0C () CITESMBX5 ! ad ! uillinois ! edu
[Download RAW message or body]
You might want to try setting this value in your etc/broctl.cfg file:
pcapsnaplen=1600
________________________________
From: bro-bounces@bro.org [bro-bounces@bro.org] on behalf of Kevin Branch \
[kevin@branchnetconsulting.com]
Sent: Wednesday, June 21, 2017 10:29 AM
To: bro@bro.org
Subject: [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen
For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to make Bro \
drop its default snaplen from 8192 to 1600. This is helpful for conserving memory \
when using Bro in conjunction with PF_RING and a high number of ring slots.
Today I just noticed that while Bro does not complain about "redef Pcap::snaplen = \
1600;" when I run a "broctl check", that Bro appears to be ignoring the redef. All \
my Bro instances are actually using a snaplen of 8192.
I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this \
problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).
The "Bucket Len" in the below PF_RING status file corresponds to the snaplen of the \
app that allocated the ring.
root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s) : dmz
Active : 1
Breed : Standard
Appl. Name : bro-dmz
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 345386919
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.4.1]
Min Num Slots : 128000
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 1055756288
Tot Packets : 1966471960
Tot Pkt Lost : 3
Tot Insert : 1966471957
Tot Read : 1966471957
Insert Offset : 809944608
Remove Offset : 809944608
Num Free Slots : 128000
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Please advise me about how to successfully change the snaplen used by Bro 2.5 at this \
time, Can anyone reproduce this problem? I don't know if this issue applies across \
the board or only comes up with PF_RING. Let me know if there is anything I can do \
to help test this issue.
Thanks!
Kevin
[Attachment #3 (text/html)]
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<div>You might want to try setting this value in your etc/broctl.cfg file:</div>
<div>pcapsnaplen=1600</div>
<div><br>
</div>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF3645" style="direction: ltr;"><font face="Tahoma" size="2" \
color="#000000"><b>From:</b> bro-bounces@bro.org [bro-bounces@bro.org] on behalf of \
Kevin Branch [kevin@branchnetconsulting.com]<br> <b>Sent:</b> Wednesday, June 21, \
2017 10:29 AM<br> <b>To:</b> bro@bro.org<br>
<b>Subject:</b> [Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">For a long time I have used "redef Pcap::snaplen = 1600;" in \
local.bro to make Bro drop its default snaplen from 8192 to 1600. This is \
helpful for conserving memory when using Bro in conjunction with PF_RING and a high \
number of ring slots. <div><br>
</div>
<div>
<div>
<div>Today I just noticed that while Bro does not complain about "redef \
Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears \
to be ignoring the redef. All my Bro instances are actually using a snaplen of \
8192.</div> <div><br>
</div>
<div>I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed \
this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).</div> \
<div><br> </div>
<div>The "Bucket Len" in the below PF_RING status file corresponds to the \
snaplen of the app that allocated the ring.</div> <div><br>
</div>
</div>
<blockquote style="margin:0px 0px 0px 40px; border:none; padding:0px">
<div>root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9</div>
<div>Bound Device(s) : dmz</div>
<div>Active : 1</div>
<div>Breed : Standard</div>
<div>Appl. Name : bro-dmz</div>
<div>Socket Mode : RX+TX</div>
<div>Capture Direction : RX+TX</div>
<div>Sampling Rate : 1</div>
<div>IP Defragment : No</div>
<div>BPF Filtering : Enabled</div>
<div>Sw Filt Hash Rules : 0</div>
<div>Sw Filt WC Rules : 0</div>
<div>Hw Filt Rules : 0</div>
<div>Sw Filt Hash Match : 0</div>
<div>Sw Filt Hash Miss : 0</div>
<div>Poll Pkt Watermark : 1</div>
<div>Num Poll Calls : 345386919</div>
<div>Channel Id Mask : 0xFFFFFFFFFFFFFFFF</div>
<div>Cluster Id : 21</div>
<div>Slot Version : 16 [6.4.1]</div>
<div>Min Num Slots : 128000</div>
<div>Bucket Len : 8192</div>
<div>Slot Len : 8248 [bucket+header]</div>
<div>Tot Memory : 1055756288</div>
<div>Tot Packets : 1966471960</div>
<div>Tot Pkt Lost : 3</div>
<div>Tot Insert : 1966471957</div>
<div>Tot Read : 1966471957</div>
<div>Insert Offset : 809944608</div>
<div>Remove Offset : 809944608</div>
<div>Num Free Slots : 128000</div>
<div>TX: Send Ok : 0</div>
<div>TX: Send Errors : 0</div>
<div>Reflect: Fwd Ok : 0</div>
<div>Reflect: Fwd Errors: 0</div>
</blockquote>
<div>
<div><br>
</div>
<div>Please advise me about how to successfully change the snaplen used by Bro 2.5 at \
this time, Can anyone reproduce this problem? I don't know if this issue \
applies across the board or only comes up with PF_RING. Let me know if there is \
anything I can do to help test this issue.<br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Kevin</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--===============0979538363==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic