TCP Replay Error: Message too long errno = 90 MTU above 9216
3,288 views
Skip to first unread message
bryan bent
Nov 6, 2014, 5:51:54 PM11/6/14
to securit...@googlegroups.com
I am using Security Onion to record and play back PCAP files. To record I am using wireshark and to replay I am using tcpreplay. I am recording some packets that have really high MTU rates, in the neighborhood of 17,000+ and they are causing tcpreplay to result in errors "Message too long errno = 90". I have changed the MTU to 9216 but this is still under the MTU size for playback and the system will not let me to change it to a higher number. When I attempt to change it higher than that I recieve the message "invalid argument". Is there anyway to set this to a higher number or change it to support a higher number. I know that I can filter out these on the way in (recording), but that does not really server my purpose. Thank you.
Bryan B.
Doug Burks
Nov 7, 2014, 9:06:38 AM11/7/14
to securit...@googlegroups.com
Hi Bryan,
Replies inline.
On Thu, Nov 6, 2014 at 5:51 PM, bryan bent <bean...@gmail.com> wrote:
> I am using Security Onion to record and play back PCAP files. To record I am using wireshark
Any particular reason why? Wireshark is a great tool for analyzing
pcap files, but I wouldn't recommend it for sniffing live traffic.
Consider using netsniff-ng instead as that's what we normally use in
Security Onion for sniffing live traffic.
> and to replay I am using tcpreplay. I am recording some packets that have really high MTU rates, in the neighborhood of 17,000+
My first guess would be that this is due to recording on a standard
interface that hasn't been configured specifically for sniffing.
Please see:
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
Since you're running Security Onion, did you run through our Setup
wizard and configure a sniffing interface? If not, please do so and
this should make your recorded packets the correct size for the actual
network you're sniffing.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Thu, Nov 6, 2014 at 5:51 PM, bryan bent <bean...@gmail.com> wrote:
> I am using Security Onion to record and play back PCAP files. To record I am using wireshark
pcap files, but I wouldn't recommend it for sniffing live traffic.
Consider using netsniff-ng instead as that's what we normally use in
Security Onion for sniffing live traffic.
> and to replay I am using tcpreplay. I am recording some packets that have really high MTU rates, in the neighborhood of 17,000+
interface that hasn't been configured specifically for sniffing.
Please see:
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
Since you're running Security Onion, did you run through our Setup
wizard and configure a sniffing interface? If not, please do so and
this should make your recorded packets the correct size for the actual
network you're sniffing.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Furkan Çalışkan
Apr 15, 2018, 8:39:30 AM4/15/18
to security-onion
7 Kasım 2014 Cuma 01:51:54 UTC+3 tarihinde bryan bent yazdı:
Regards,
> I am using Security Onion to record and play back PCAP files. To record I am using wireshark and to replay I am using tcpreplay. I am recording some packets that have really high MTU rates, in the neighborhood of 17,000+ and they are causing tcpreplay to result in errors "Message too long errno = 90". I have changed the MTU to 9216 but this is still under the MTU size for playback and the system will not let me to change it to a higher number. When I attempt to change it higher than that I recieve the message "invalid argument". Is there anyway to set this to a higher number or change it to support a higher number. I know that I can filter out these on the way in (recording), but that does not really server my purpose. Thank you.
>
> Bryan B.
I encountered the same problem today in my VM SO-ELK-GA installation. It's memory was 8 GB. When I upgraded it to 10 GB and re-installed, it's fixed.
>
> Bryan B.
Regards,
Reply all
Reply to author
Forward
0 new messages