Troubleshoot Dropping of Packets Due to Higher MTU (Oversize Packet)

Introduction

Packets in any network may have higher MTU than the default size of 1518 bytes. This may cause the packets to be dropped at the interface of a managed device before they are processed by Snort. As a result, there will be no corresponding events on the web user interface of a FireSIGHT Management Center. This document describes how to verify packet drops due to oversize packets, and how to change the default the MTU settings on a FireSIGHT System.

Verification

In order to determine if a drop occurs due to MTU size, follow the steps below:

1. Log into your managed device via Secure Shell (SSH), and run the following command:

> show portstats

Example output:

2. Check the Oversize packets for each port. Verify if the number is zero or higher. The above screenshot, for example,  shows the oversize counters of port s1p1 is zero. This check let you know which ports are receiving oversize packets.

Configuration

If the interfaces of your managed device see oversized packets, you must increase the MTU on the interfaces. In order to change the MTU, follow the steps below:

1. Login to the web user interface of your FireSIGHT Management Center.

2. Navigate to Devices > Device Management.

3. Click on the Inline Sets tab, and click Edit next to the Inline Set you wish to change.

4. Set the MTU field to an appropriate number based on the type of traffic of your network.

4. Save and apply the changes.