[Snort-users] increase packet size capture problem

Jeffrey Starin jeffs at ...1936...
Tue Oct 26 08:29:03 EDT 2004


I have a rule that captures outgoing data and logs to a seperate file.  Problem is that the data is truncated.  That is, not all the data is captured.  I am aware of the -P option to modify snaplen and also of "session" modifier, but changing these values doesn't seem to work -- I always end up with my outgoing data truncated.  I'm presuming that the data that is truncated is being put into a subsequent outing going packet and the alert that generates the first capture cannot say, "Hey, also capture all associated packets."  But I figured that's what the "session" keyword is for, but using it doesn't seem to help.

Any help much appreciated.

Thanks,

bulgin






More information about the Snort-users mailing list