[Snort-devel] spo_alert_unixsock is broken, patch attached
Dirk_Geschke at ...802...
Tue Mar 13 12:43:16 EDT 2007
I think it would be a better fix to allow only a snaplen of SNAPLEN
within snort. This would make rethinking of the caplen size more obsolete.
With your fix you may end up in a big/little endian problem.
BTW: Does anyone understand this definition:
/* IRIX 6.2 hack! */
#define SNAPLEN 1514
#define SNAPLEN 1500
I think for ethernet it should be 1514 regardless which OS, normally
14 bytes are the size of the MAC header... (Ok, 1518 would be more
precisely but the last 4 bytes are only an end marker.)
And furthermore: For GB-Ethernet can use jumbo frames. So maybe it
would be better to set SNAPLEN to 9014?
More information about the Snort-devel