Hello,
I wonder what happens if my mtu is set to 1500 (default) and a jumbo TCP or UDP packet is sent to Bro’s monitored interface.
Will Bro parse only the packet containing the IP header ?
Thanks
B
I'd actually expect Bro to reassemble IPv4/IPv6 fragments by default,
providing that it is actually seeing the fragments from the interface
in their entirety. Anything relevant in weird.log? e.g. there could
be other problems going on that prevent fully processing the
fragments, like bad checksums (maybe from nic offloading), or
incomplete captures (from too low a snaplen setting).
- Jon