snaplen is too small for jumbo frames

Description

topic/jazoff/fix-snaplen in broctl and bro change the default snaplen from 8192 to 9216

The default snaplen is too small to handle jumbo frames properly.

Also.. I'm not sure if the pcap variables in broctl should default to anything.. with the options defaulting to a value you can't override the snaplen with a redef in bro script since the broctl-config.bro file pushed out by broctl will override it.

Environment

None

Activity

Show:

Daniel Thayer

September 20, 2017, 7:43 PM

Copy link to comment

I would propose that we just remove that broctl config option. I think it's more confusing
than helpful to be able to configure the same parameter in two totally different files (especially
considering that the two variables don't even share the same name!).

Justin Azoff

September 20, 2017, 7:50 PM

Copy link to comment

works for me I guess.. most likely if someone did change either of those options, it was to set snaplen to 9216 in the first place.

Can the broctl option be deprecated and a warning emitted that the option should be set in local.bro instead? Then we can remove it in version+2

Daniel Thayer

September 20, 2017, 8:00 PM

Copy link to comment

Yes, that's trivial to do (and there's already an example of this in the broctl src code).

Jon Siwek

August 21, 2018, 8:00 PM

Copy link to comment

I merged the branch but didn't do the suggestion of deprecating the broctl option: I noticed there's other options for which broctl ends up adding an overriding redef, so it would make sense to consider auditing whether they actually make sense as broctl options and then deprecating them all at one time rather just for this one option.