[Snort-devel] spo_alert_unixsock is broken, patch attached
Stephen J. Sadowski
stephen.j.sadowski at ...2927...
Wed Mar 14 09:53:24 EDT 2007
On Tue, 2007-03-13 at 17:43 +0100, Dirk Geschke wrote:
> BTW: Does anyone understand this definition:
> /* IRIX 6.2 hack! */
> #ifndef IRIX
> #define SNAPLEN 1514
> #define SNAPLEN 1500
> I think for ethernet it should be 1514 regardless which OS, normally
> 14 bytes are the size of the MAC header... (Ok, 1518 would be more
> precisely but the last 4 bytes are only an end marker.)
On IRIX, libpcap won't set the snapshot length to more than 1514 bytes -
I think this is for managing that peculiarity internal to snort rather
than passing it off to libpcap to handle.
I haven't dug too much, and don't know if this is exactly the right
answer, but it's my best guess.
More information about the Snort-devel