I noticed #447 but found a default of 8192 still being used from “share/bro/base/init-bare.bro”, line 2793.
Using a value of “0” results in an error for libpcap
==== stderr.log
fatal error: /usr/local/3rd-party/bro/bin/bro: problem with interface eth5 - pcap_compile(): snaplen of 0 rejects all packets
65535 is accepted:
==== stderr.log
listening on eth5, capture length 65535 bytes
We discovered that it was causing some pretty severe performance problems and changed back to 8192 by default. Ultimately the best choice will be to set the snaplen to the MTU for the link you are monitoring and to make sure and turn off all NIC features. Doug Burks has a good reference for these features here:
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
I left a comment on the ticket so that people won't get caught by that quick change around in the future too.
.Seth