|Advanced Setup prompts for PCAP size|
If you've already run Setup and want to change the default 150MB PCAP size, you can add the PCAP_SIZE option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf. Please note that netsniff-ng accepts the following units for PCAP_SIZE:
So if you want to increase your PCAPs to 500MB, you would add the following option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf:
Then restart netsniff-ng as follows:
sudo nsm_sensor_ps-restart --only-pcapAlso, I've seen some intermittent cases where pcap_agent fails to start right after running Setup, so I've added a 5-second delay between starting netsniff-ng and starting pcap_agent to help ensure that netsniff-ng is fully initialized.
These updates resolve the following issues:
Issue 341: nsm_sensor_ps-start needs "sleep 5s" between netsniff-ng and pcap_agent
Issue 314: Update NSM scripts so that netsniff-ng pcap size is configurable by user
Thanks to JP Bourget for the NSM/Setup patches for setting the PCAP size!
Thanks to the following for testing the new package:
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
If you have any questions or problems, please use our mailing list:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!