[Snort-users] increase packet size capture problem
jeffs at ...1936...
Tue Oct 26 08:29:03 EDT 2004
I have a rule that captures outgoing data and logs to a seperate file. Problem is that the data is truncated. That is, not all the data is captured. I am aware of the -P option to modify snaplen and also of "session" modifier, but changing these values doesn't seem to work -- I always end up with my outgoing data truncated. I'm presuming that the data that is truncated is being put into a subsequent outing going packet and the alert that generates the first capture cannot say, "Hey, also capture all associated packets." But I figured that's what the "session" keyword is for, but using it doesn't seem to help.
Any help much appreciated.
More information about the Snort-users