From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020801 Description of problem: I was having problems with Snort mysteriously dying on my PPP gateway machine. It was very frustrating and I recently spent some time tracing the problem. Turns out libpcap creates a network buffer with size based on the MTU, which is not the upper bound for received packet size. Whenever a larger packet comes in, it overflows the buffer, and goes on to trash the adjacent packet filter instructions. When libpcap sees an unknown instruction, it calls abort(), which caused the silent Snort failures that were driving me nuts. This doesn't show up with Ethernet, where the MTU/MRU are usually fixed at 1500. I think this problem is present on all Red Hat versions >=7.0 but I only checked it on 7.0. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. run snort 2. receive a packet larger than the MTU Additional info: There are two solutions I tried, one is to simply set the bufsize to a very large value like 64K, the other is to set the size to the available snaplen. The latest version of libpcap does the latter, and the source code claims it will always work on >=2.2 kernels, so I chose that solution. I haven't had any problems with Snort, or anything else that uses libpcap, since applying this patch!
Created attachment 80584 [details] patch to use snaplen
looks good to me..