Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

For a long time I have used “redef Pcap::snaplen = 1600;” in local.bro to make Bro drop its default snaplen from 8192 to 1600. This is helpful for conserving memory when using Bro in conjunction with PF_RING and a high number of ring slots.

Today I just noticed that while Bro does not complain about “redef Pcap::snaplen = 1600;” when I run a “broctl check”, that Bro appears to be ignoring the redef. All my Bro instances are actually using a snaplen of 8192.

I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test).

The “Bucket Len” in the below PF_RING status file corresponds to the snaplen of the app that allocated the ring.

root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s) : dmz
Active : 1
Breed : Standard
Appl. Name : bro-dmz
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 345386919
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.4.1]
Min Num Slots : 128000
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 1055756288
Tot Packets : 1966471960
Tot Pkt Lost : 3
Tot Insert : 1966471957
Tot Read : 1966471957
Insert Offset : 809944608
Remove Offset : 809944608
Num Free Slots : 128000
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0

Please advise me about how to successfully change the snaplen used by Bro 2.5 at this time, Can anyone reproduce this problem? I don’t know if this issue applies across the board or only comes up with PF_RING. Let me know if there is anything I can do to help test this issue.

Thanks!
Kevin

Are you using pf_ring through libpcap, or are you using the pf-ring
plugin?

In case you are using it through libpcap - Bro just calls
pcap_set_snaplen; if it does not work anymore it is probably that this is
an issue with PF_RING or the pfring libpcap.

Johanna

You might want to try setting this value in your etc/broctl.cfg file:
pcapsnaplen=1600