[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Ryan Russell ryan at ...35...
Tue Jan 2 14:37:23 EST 2001

On Wed, 3 Jan 2001, Fyodor wrote:

> so here complain if buffer length is bigger that ETHERNET_MTU which is 1500 bytes. This conclusion
> (IMHO) actually isn't fully correct, other datalinks may have different MTU (normally smaller, but
> maybe there's a one which is not?).
> --

FDDI is 4096.  Don't remember what Toekn Ring is... I think it's bigger
than 1500.  There's a spec for some giant Ethernet frames that goes to I
think 64K.  Serial lines can be configured for all sorts of MTU.  Lesse...
here's one doc, MS of all places:


Don't know what link layers Snort (libpcap?) intends to support... but
1500 is too small for a hard max.


More information about the Snort-users mailing list