Merge remote-tracking branch 'origin/master' into topic/bernhard/input

2025-10-04 15:48:19 +00:00 · 2012-01-07 09:16:23 -08:00 · 2012-01-07 09:16:23 -08:00 · a8d4a3c35b
commit a8d4a3c35b
parent 5bef49d625 e83df9487a
8 changed files with 90 additions and 16 deletions
--- a/9
+++ b/9
@ -1,4 +1,13 @@

+2.0-beta-177 | 2012-01-05 15:01:07 -0800
+
+  * Replace the --snaplen/-l command line option with a
+    scripting-layer option called "snaplen" (which can also be
+    redefined on the command line, e.g. `bro -i eth0 snaplen=65535`).
+
+  * Reduce snaplen default from 65535 to old default of 8192. Fixes
+    #720. (Jon Siwek)
+
 2.0-beta-174 | 2012-01-04 12:47:10 -0800

  * SSL improvements. (Seth Hall)
--- a/51
+++ b/51
@ -0,0 +1,51 @@
+
+Release Notes
+=============
+
+This document summarizes the most important changes in the current Bro
+release. For a complete list of changes, see the ``CHANGES`` file.
+
+Bro 2.0
+-------
+
+As the version number jump suggests, Bro 2.0 is a major upgrade and
+lots of things have changed. We have assembled a separate upprade
+guide with the most important changes compared to Bro 1.5 at
+http://www.bro-ids.org/documentation/upgrade.bro.html. You can find
+the offline version of that document in ``doc/upgrade.rst.``.
+
+Compared to the earlier 2.0 Beta version, the major changes in the
+final release are:
+
+    * The default scripts now come with complete reference
+      documentation. See
+      http://www.bro-ids.org/documentation/index.html.
+
+    * libz and libmagic are now required dependencies.
+
+    * Reduced snaplen default from 65535 to old default of 8192. The
+      large value was introducing performance problems on many
+      systems.
+
+    * Replaced the --snaplen/-l command line option with a
+      scripting-layer option called "snaplen". The new option can also
+      be redefined on the command line, e.g. ``bro -i eth0
+      snaplen=65535``.
+
+    * Reintroduced the BRO_LOG_SUFFIX environment that the ASCII
+      logger now respects to add a suffix to the log files it creates.
+
+    * The ASCII logs now include further header information, and 
+      fields set to an empty value are now logged as ``(empty)`` by
+      default (instead of ``-``, which is already used for fields that
+      are not set at all).
+
+    * Some NOTICES were renamed, and the signatures of some SSL events
+      have changed.
+
+    * Many smaller bug fixes, portability improvements, and general
+      polishing.
+
+
+
+
--- a/10
+++ b/10
@ -4,13 +4,15 @@ Bro Network Security Monitor

 Bro is a powerful framework for network analysis and security
 monitoring. Please see the INSTALL file for installation instructions
-and pointers for getting started. For more documentation, research
-publications, and community contact information, see Bro's home page:
+and pointers for getting started. NEWS contains releases notes for the
+current version, and CHANGES has the complete history of changes.
+Please see COPYING for licensing information.
+
+For more documentation, research publications, and community contact
+information, please see Bro's home page:

    http://www.bro-ids.org

-Please see COPYING for licensing information.
-
 On behalf of the Bro Development Team,

 Vern Paxson & Robin Sommer,
--- a/2
+++ b/2
@ -1 +1 @@
-2.0-beta-174
+2.0-beta-177
--- a/doc/faq.rst
+++ b/doc/faq.rst
@ -28,6 +28,23 @@ Here are some pointers to more information:
  Lothar Braun et. al evaluates packet capture performance on
  commodity hardware

+Are there any gotchas regarding interface configuration for live capture?  Or why might I be seeing abnormally large packets much greater than interface MTU?
+-------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+Some NICs offload the reassembly of traffic into "superpackets" so that
+fewer packets are then passed up the stack (e.g. "TCP segmentation
+offload", or "generic segmentation offload").  The result is that the
+capturing application will observe packets much larger than the MTU size
+of the interface they were captured from and may also interfere with the
+maximum packet capture length, ``snaplen``, so it's a good idea to disable
+an interface's offloading features.
+
+You can use the ``ethtool`` program on Linux to view and disable
+offloading features of an interface.  See this page for more explicit
+directions:
+
+http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
+
 What does an error message like ``internal error: NB-DNS error`` mean?
 ---------------------------------------------------------------------------------------------------------------------------------

--- a/doc/upgrade.rst
+++ b/doc/upgrade.rst
@ -168,10 +168,6 @@ New Default Settings
  are loaded. See ``PacketFilter::all_packets`` for how to revert to old
  behavior.

- By default, Bro now sets a libpcap snaplen of 65535. Depending on
-  the OS, this may have performance implications and you can use the
-  ``--snaplen`` option to change the value.
-  
 API Changes
 -----------

--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -1505,6 +1505,9 @@ const skip_http_data = F &redef;
 ## UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
 const parse_udp_tunnels = F &redef;

+## Number of bytes per packet to capture from live interfaces.
+const snaplen = 8192 &redef;
+
 # Load the logging framework here because it uses fairly deep integration with 
 # BiFs and script-land defined types.
@load base/frameworks/logging
--- a/src/main.cc
+++ b/src/main.cc
@ -99,7 +99,7 @@ extern char version[];
 char* command_line_policy = 0;
 vector<string> params;
 char* proc_status_file = 0;
-int snaplen = 65535;	// really want "capture entire packet"
+int snaplen = 0;	// this gets set from the scripting-layer's value

 int FLAGS_use_binpac = false;

@ -147,7 +147,6 @@ void usage()
 	fprintf(stderr, "    -g|--dump-config               | dump current config into .state dir\n");
 	fprintf(stderr, "    -h|--help|-?                   | command line help\n");
 	fprintf(stderr, "    -i|--iface <interface>         | read from given interface\n");
-	fprintf(stderr, "    -l|--snaplen <snaplen>         | number of bytes per packet to capture from interfaces (default 65535)\n");
 	fprintf(stderr, "    -p|--prefix <prefix>           | add given prefix to policy file resolution\n");
 	fprintf(stderr, "    -r|--readfile <readfile>       | read from given tcpdump file\n");
 	fprintf(stderr, "    -y|--flowfile <file>[=<ident>] | read from given flow file\n");
@ -374,7 +373,6 @@ int main(int argc, char** argv)
 		{"filter",		required_argument,	0,	'f'},
 		{"help",		no_argument,		0,	'h'},
 		{"iface",		required_argument,	0,	'i'},
-		{"snaplen",		required_argument,	0,	'l'},
 		{"doc-scripts",		no_argument,		0,	'Z'},
 		{"prefix",		required_argument,	0,	'p'},
 		{"readfile",		required_argument,	0,	'r'},
@ -483,10 +481,6 @@ int main(int argc, char** argv)
 			interfaces.append(optarg);
 			break;

-		case 'l':
-			snaplen = atoi(optarg);
-			break;
-
 		case 'p':
 			prefixes.append(optarg);
 			break;
@ -837,6 +831,8 @@ int main(int argc, char** argv)
 			}
 		}

+	snaplen = internal_val("snaplen")->AsCount();
+
 	// Initialize the secondary path, if it's needed.
 	secondary_path = new SecondaryPath();