Capture len #283
Capture len #283
Conversation
This is a bad idea as truncated packet will be rejected by the engine.
|
We get an interfaces mtu, wouldn't using that make sense? |
|
That will be equivalent when MTU is correctly known because in both case the whole packet will be sent to suricata. But if MTU is not known (strange interface maybe) that could be an issue. |
|
I've seen our GetMTU func fail in some cases, like on cygwin I think. In that case it would make sense to have it set to unlimited. Is there any performance impact from setting it to unlimited when mtu is low? In other words, if we have an mtu of 1500, will setting unlimited or 1518 (our current default) mean any difference? |
|
I've just read pcap source code and it leads to an interesting conclusion. Pcap is trying to use mmaped capture and setup the ring by using buffer_size as the total memory. It also use "rounded" snaplen as frame size. So there is a direct impact of using a big snaplen. Victor, What do you think ? |
|
Okay, good to know that. I think it should be configurable. We can use MTU, but I've seen too many times a failure of getting it, so we need something that deals with that. What about a per interface setting of "snaplen": snaplen:<auto|mtu|unlimited|> Where "auto" uses mtu where available, unlimited otherwise. Ppl can set if they want to, especially for where mtu fails. I guess "mtu" would lead to error if we can't get the mtu. |
|
OK, make sense. Adding a patch implenting snaplen variable on top of my reworked patchset. |
here's some patches trying to improve the situation regarding snaplen (https://redmine.openinfosecfoundation.org/issues/680). I've made the choice to use unlimited snaplen because I think we really want suricata to get the whole packets. I can add patches allowing to set up length if needed.