mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
Tuning fragment storage down to 5 minutes in the default tuning.
This commit is contained in:
Seth Hall
parent
d29ffc759d
commit
999b48e801
2 changed files with 12 additions and 1 deletions
|
|
@ -1 +1,2 @@
|
|||
@load tuning/defaults/remove-high-volume-notices
|
||||
@load tuning/defaults/remove-high-volume-notices
|
||||
@load tuning/defaults/packet-fragments
|
||||
10
policy/tuning/defaults/packet-fragments.bro
Normal file
10
policy/tuning/defaults/packet-fragments.bro
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
## Capture TCP fragments, but not UDP (or ICMP), since those are a lot more
|
||||
## common due to high-volume, fragmenting protocols such as NFS :-(.
|
||||
|
||||
## This normally isn't used because of the default open packet filter
|
||||
## but we set it anyway in case the user is using a packet filter.
|
||||
redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" };
|
||||
|
||||
## Shorten the fragment timeout from never expiring to expiring fragments after
|
||||
## five minutes.
|
||||
redef frag_timeout = 5 min;
|
||||
Loading…
Add table
Add a link
Reference in a new issue