From 645c80f9742049e45cab9f7349ed34a1ddb722d8 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 4 Jan 2012 16:30:15 -0600 Subject: [PATCH 1/2] Reduce snaplen default from 65535 to old default of 8192. (fixes #720) Also replaced the --snaplen/-l command line option with a scripting-layer option called "snaplen" (which can also be redefined on the command line, e.g. `bro -i eth0 snaplen=65535`). --- scripts/base/init-bare.bro | 3 +++ src/main.cc | 10 +++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 859a69f2dc..5e334496c6 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1505,6 +1505,9 @@ const skip_http_data = F &redef; ## UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. const parse_udp_tunnels = F &redef; +## Number of bytes per packet to capture from live interfaces. +const snaplen = 8192 &redef; + # Load the logging framework here because it uses fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging diff --git a/src/main.cc b/src/main.cc index b4a27862c9..3d096c7d51 100644 --- a/src/main.cc +++ b/src/main.cc @@ -97,7 +97,7 @@ extern char version[]; char* command_line_policy = 0; vector params; char* proc_status_file = 0; -int snaplen = 65535; // really want "capture entire packet" +int snaplen = 0; // this gets set from the scripting-layer's value int FLAGS_use_binpac = false; @@ -145,7 +145,6 @@ void usage() fprintf(stderr, " -g|--dump-config | dump current config into .state dir\n"); fprintf(stderr, " -h|--help|-? | command line help\n"); fprintf(stderr, " -i|--iface | read from given interface\n"); - fprintf(stderr, " -l|--snaplen | number of bytes per packet to capture from interfaces (default 65535)\n"); fprintf(stderr, " -p|--prefix | add given prefix to policy file resolution\n"); fprintf(stderr, " -r|--readfile | read from given tcpdump file\n"); fprintf(stderr, " -y|--flowfile [=] | read from given flow file\n"); @@ -372,7 +371,6 @@ int main(int argc, char** argv) {"filter", required_argument, 0, 'f'}, {"help", no_argument, 0, 'h'}, {"iface", required_argument, 0, 'i'}, - {"snaplen", required_argument, 0, 'l'}, {"doc-scripts", no_argument, 0, 'Z'}, {"prefix", required_argument, 0, 'p'}, {"readfile", required_argument, 0, 'r'}, @@ -481,10 +479,6 @@ int main(int argc, char** argv) interfaces.append(optarg); break; - case 'l': - snaplen = atoi(optarg); - break; - case 'p': prefixes.append(optarg); break; @@ -833,6 +827,8 @@ int main(int argc, char** argv) } } + snaplen = internal_val("snaplen")->AsCount(); + // Initialize the secondary path, if it's needed. secondary_path = new SecondaryPath(); From 7d85308b761db2fe61289532ef2fd60d33d91a1b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 4 Jan 2012 16:41:39 -0600 Subject: [PATCH 2/2] Remove upgrade documentation regarding change in default snaplen. --- doc/upgrade.rst | 4 ---- 1 file changed, 4 deletions(-) diff --git a/doc/upgrade.rst b/doc/upgrade.rst index 71cc5e401d..885f8f8b8c 100644 --- a/doc/upgrade.rst +++ b/doc/upgrade.rst @@ -168,10 +168,6 @@ New Default Settings are loaded. See ``PacketFilter::all_packets`` for how to revert to old behavior. -- By default, Bro now sets a libpcap snaplen of 65535. Depending on - the OS, this may have performance implications and you can use the - ``--snaplen`` option to change the value. - API Changes -----------