It is 1500. That was the first thing I looked at. It is a gig NIC but only 100mb link. It is a mirrored clan not a port. In a dump I did not see any tags with a -e.
-mobile work On Dec 9, 2010, at 5:52, "Luca Deri" <[email protected]<mailto:[email protected]>> wrote: Frank what is the MTU size of the interface you are using for receiving packets? Regards Luca On 12/07/2010 02:15 PM, Eargle, Frank wrote: I am seeing packet truncated with standard ethernet as the following shows: **WARNING** packet truncated (12325->8232) **WARNING** packet truncated (13746->8232) Snort is not firing any of the malformed packet rules so I'm pretty confident the packets are "stable" . I hesitate to say "correct". Looking in the pbuf.c I see the following clip. Should the IP only flag turn off the len condition or turn it on? if(myGlobals.runningPref.printIpOnly) { /* When we do Fibre Channel, the end of the packet contains EOF * information and so truncating it isn't a good idea. */ if(len >= DEFAULT_SNAPLEN) len = DEFAULT_SNAPLEN-1; } Any other ideas? ________________________________ Frank Eargle II Information Security Analyst SC Computer Incident Response Team The Division of State Information Technology (DSIT) 4430 Broad River Rd Columbia, SC 29210 803-896-1650 SC-ISAC Response Center 803-896-0711 Direct Line <http://sc-isac.sc.gov/>http://sc-isac.sc.gov ________________________________ _______________________________________________ Ntop-dev mailing list <mailto:[email protected]>[email protected]<mailto:[email protected]> <http://listgateway.unipi.it/mailman/listinfo/ntop-dev>http://listgateway.unipi.it/mailman/listinfo/ntop-dev _______________________________________________ Ntop-dev mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
