<p dir="ltr">Hi Leonard </p>
<p dir="ltr">Take look at this article, <a href="http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html">http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html</a>. <br>

Best practice would be to turn off all offloading. </p>
<p dir="ltr">Regards, <br>
Lysemose </p>
<div class="gmail_quote">On Jun 11, 2013 2:16 PM, "Leonard Jacobs" <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I also read that some network cards have features named Large Receive Offload (lro) and Generic Receieve Offload (gro)and with these features enabled, the network card performs packet reassembly before they’re processed by the kernel.  Could this be making the packets too big when they hit af-packet? Should I disable lro and gro in the interfaces?<br>

<br>
I think there are other settings in some interfaces that deal with packet fragmentation.  Should I look to disable those too?<br>
<br>
Thanks.<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:no-reply@openinfosecfoundation.org">no-reply@openinfosecfoundation.org</a> [mailto:<a href="mailto:no-reply@openinfosecfoundation.org">no-reply@openinfosecfoundation.org</a>]<br>
Sent: Tuesday, June 11, 2013 6:13 AM<br>
To: <a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>; <a href="mailto:victor@inliniac.net">victor@inliniac.net</a>; <a href="mailto:hendomatic@gmail.com">hendomatic@gmail.com</a>; <a href="mailto:oisf-internal-dev@openinfosecfoundation.org">oisf-internal-dev@openinfosecfoundation.org</a>; <a href="mailto:iglesiasg@gmail.com">iglesiasg@gmail.com</a>; <a href="mailto:msolum59@yahoo.com">msolum59@yahoo.com</a>; <a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>

Subject: [Suricata - Bug #812] SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode<br>
<br>
<br>
Issue #812 has been updated by Eric Leblond.<br>
<br>
<br>
Hello, can you try to set "defrag: no" in af-packet interfaces configuration ? Kernel defragmentation could result in packet bigger than MTU being receive.<br>
<br>
----------------------------------------<br>
Bug #812: SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode<br>
<a href="https://redmine.openinfosecfoundation.org/issues/812#change-3019" target="_blank">https://redmine.openinfosecfoundation.org/issues/812#change-3019</a><br>
<br>
* Author: Leonard Jacobs<br>
* Status: New<br>
* Priority: Normal<br>
* Assignee:<br>
* Category:<br>
* Target version:<br>
----------------------------------------<br>
When enabling Suricata in af-packet IPS, The SSL VPN communications comes to a halt.  SonicWALL might be doing SOCKS over HTTPS for their SSL VPN communications.<br>
<br>
MTUs are set to 1500 on af-packet peered Ethernet interfaces.<br>
<br>
The SSL VPN works fine in IDS mode.<br>
<br>
<br>
--<br>
You have received this notification because you have either subscribed to it, or are involved in it.<br>
To change your notification preferences, please click here: <a href="https://redmine.openinfosecfoundation.org/my/account" target="_blank">https://redmine.openinfosecfoundation.org/my/account</a><br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a></blockquote></div>