Hi Bryan,
Replies inline.
On Thu, Nov 6, 2014 at 5:51 PM, bryan bent <
bean...@gmail.com> wrote:
> I am using Security Onion to record and play back PCAP files. To record I am using wireshark
Any particular reason why? Wireshark is a great tool for analyzing
pcap files, but I wouldn't recommend it for sniffing live traffic.
Consider using netsniff-ng instead as that's what we normally use in
Security Onion for sniffing live traffic.
> and to replay I am using tcpreplay. I am recording some packets that have really high MTU rates, in the neighborhood of 17,000+
My first guess would be that this is due to recording on a standard
interface that hasn't been configured specifically for sniffing.
Please see:
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
Since you're running Security Onion, did you run through our Setup
wizard and configure a sniffing interface? If not, please do so and
this should make your recorded packets the correct size for the actual
network you're sniffing.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com